I am getting data from snowflake in to Splunk using Splunk DB Connect. This is just 4 lines of data for a demo purpose. Below is Splunk data ( SELECT * FROM example_database. table)
EMP_ID EMP_NAME EMP_SALARY
1 John 3000
2 Greg 3200
3 Peter 1200
4 Mark 2000
I want to create a simple bar dashboard in Splunk which display emp_name and emp_salary on x and y axis respectively. I am using following query in Slplunk search and reporting
source="check" "EMP_NAME" "EMP_SALARY" | top EMP_SALARY
But its showing me bar with equal hights (Should be of different heights as salaries are different). Any suggestion what I am doing wrong in query? Thanks for the help :)
The top command sees four salaries with one person earning each so they're each 25%. That's why the graph is flat, but that's OK because top is not what is needed here. Use top when you want to find the most common values of a field or set of fields. Be aware that top also discards fields so use with caution. For graphing, try the chart command, instead.
| makeresults
| eval _raw="EMP_ID EMP_NAME EMP_SALARY
1 John 3000
2 Greg 3200
3 Peter 1200
4 Mark 2000"
| multikv forceheader=1
| chart max(EMP_SALARY) as EMP_SALARY over EMP_NAME