Circle packing / pack layout / bubble chart visualization built with D3. Optional click-to-zoom and plenty of color themes.
Copyright (C) 2019 Chris Younger. I am a Splunk Professional Services consultant working for JDS Australia, in Brisbane Australia.
Source code | Questions, Bugs or Suggestions | My Splunk apps
This app is not "visible" in the Splunk UI app menu. After installing the app, follow this process:
1. Do a search of any data and switch to the visualisation tab
2. In the top left, in the visualisastion menu, select "Circlepack viz"
3. Open the "Format" menu then select "Help"
4. There will be a link to the in-app documentation, which includes working examples
This visualisation expects tabular data, with any amount of text/category columns, but the last column must be a numerical value.
For example, the following data:
| field1 | field2 | field3 | numeric_value |
|---|---|---|---|
| outer1 | mid1 | node1 | 5 |
| outer1 | mid1 | node2 | 4 |
| outer1 | mid2 | node3 | 9 |
| outer2 | mid3 | node4 | 13 |
Would produce this:
The typical search uses stats command like so:
index=* | stats count BY index sourcetype sourceSidenote: a much faster search to do the same thing is
|tstats count where index=* BY index sourcetype sourceNote that stats does not return rows when the group BY field is null. Convert nulls to be an empty string like this:
index=_internal
| eval component = coalesce(component,"")
| eval log_level = coalesce(log_level,"")
| stats count BY sourcetype component log_levelAdd more fields after the "BY" keyword to increase the depth
The "Color overrides" field accepts either a JSON object (in curly braces) or comma separated pairs. For example to make sure that "INFO" values are green, WARN's are orange and ERROR's are red, set the value like so:
INFO,#1a9035,ERROR,#b22b32,WARN,#AF5300The "Set color by" options "First field.." allow for data to set the color of the leaf node but not affect the grouping. The "First field as color codes (n/g)" option allows for valid HTML color codes to be passed in from the search. Here is an example search:
index=_internal
| stats sum(count) as count BY log_level component
| eval color = case(log_level=="ERROR", "#b22b32",log_level=="INFO", "#1a9035",log_level=="WARN", "#AF5300", true(), "blue")
| table color component countNote that when using "Click action" of "Zoom in" the labels are not clipped and will probably overlap.
The following third-party libraries are used by this app. Thank you!
v.1.3.6
* Update internal jquery library for Splunk Cloud compatibility
v.1.3.4
* Token handling improvements. New format menu option so you can set what the token will default to, when null.
v.1.1.4
* Minor bug fixes
v1.1.3
* Fix for 7.3 to remove "undefined" messages in format menu
v.1.3.4
* Token handling improvements. New format menu option so you can set what the token will default to, when null.
v.1.1.4
* Minor bug fixes
v1.1.3
* Fix for 7.3 to remove "undefined" messages in format menu
v.1.1.4
* Minor bug fixes
v1.1.3
* Fix for 7.3 to remove "undefined" messages in format menu
Add better formatting options for labels. Fix IE11/Edge support. Better handling of large datasets.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.