topic Re: How to bundle two timecharts that are split by the same field in Dashboards & Visualizations

How to bundle two timecharts that are split by the same field

ee07b291 — Fri, 29 Sep 2017 22:45:28 GMT

For example, I'm creating a dashboard with two timecharts like below:

eventtype="watchlist_result" 
|  timechart span=1h limit=0 first(nDevices) by name 
|  fillnull value=0

eventtype="watchlist_result" 
|  timechart span=1h limit=0 first(nActivities) by name 
|  fillnull value=0

And in the dashboard I configure using 'Trellis' so I get chart for each 'name'... One thing that is cumbersome is that I end up with two panels, and if user wants to look at the device and activity count for the same name, they have to scroll on both panels...

However, I would like to bundle the two timecharts (since they are split by the same field 'name') into one panel, so that charts with same name are presented together and user just needs to scroll once,

[Edit]

To clarify further, the nDevices, nActivities and name are fields extracted from the event,

Since the charts are all split by the same field name, i would like to have a way to have the device/activity chart from the same name shown together like a pair in trellis,,, something look like below:

Re: How to bundle two timecharts that are split by the same field

DalJeanis — Sun, 01 Oct 2017 16:16:08 GMT

@ee07b291 - The two queries you posted are identical.

Re: How to bundle two timecharts that are split by the same field

ee07b291 — Sun, 01 Oct 2017 17:09:03 GMT

@DalJeanis updated,

Re: How to bundle two timecharts that are split by the same field

DalJeanis — Mon, 02 Oct 2017 04:27:08 GMT

Start with this...

 eventtype="watchlist_result" 
| eval fan = mvrange(0,2)
| mvexpand fan
| eval value=if(fan=0,nDevices,nActivities)
| eval type=if(fan=0,name." Devices", name." Activities")
|  timechart span=1h limit=0 first(value) by type
|  fillnull value=0

I'm not sure exactly what the meaning of nDevices or nActivities is, or why you have by name but have only one set of results, but this should produce a results that combines your prior two results into a single timechart.

Re: How to bundle two timecharts that are split by the same field

niketn — Mon, 02 Oct 2017 07:10:53 GMT

Merge the timechart for to different series in one and then Use Trellis Formatting Options in UI to Split By name.

 eventtype="watchlist_result" 
 |  timechart span=1h limit=0 first(nDevices) as nDevices first(nActivities) as nActivities by name 
 |  fillnull value=0

Following is the Simple XML option for Splitting Trellis by name

    <option name="trellis.splitBy">name</option>

Since your scale for nDevice (in example max is 1) and scale for nActivities differ by a lot ideally you should create a Chart Overlay also. Following will create an overlay for nDevices with a inherited scale to interpret device increments/decrements easily according to activities.

    <option name="charting.axisTitleY.text">nActivities</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.text">nDevices</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.chart.overlayFields">nDevices</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.nullValueMode">zero</option>

PS: Chart Overlay is optional but I feel you would be able to get better interpretation with the same.

Re: How to bundle two timecharts that are split by the same field

ee07b291 — Mon, 02 Oct 2017 18:15:31 GMT

@DalJeanis Thx for showing me this syntax!~

Sorry for not being fully clear, just updated my question with more context,,,

Unfortunately this is not really what I want,

Re: How to bundle two timecharts that are split by the same field

ee07b291 — Mon, 02 Oct 2017 18:17:27 GMT

@niketnilay

Thanks a lot for the reply, just updated my question with more context on exactly what I want,,,

Unfortunately i do not want to use overlay with separate scales,,, just would like to know if there is a way to bundle/pair two time charts split by the same field,

Re: How to bundle two timecharts that are split by the same field

niketn — Tue, 03 Oct 2017 01:15:14 GMT

If you do not want to overlay you can just choose to create Combined timechart and split Trellis by name. You need not perform the subsequent steps for chart overlay... they were just a suggestion.

Re: How to bundle two timecharts that are split by the same field

Tom1187 — Sun, 28 Jan 2018 00:34:09 GMT

Any luck with this? I'm in a similar situation right now

Re: How to bundle two timecharts that are split by the same field

cblanton — Tue, 24 Sep 2019 16:21:10 GMT

hi @niketnilay, i've been trying to implement your solution here for the same issue. i would like to use the overlay without trellis, but the fields become a concatenation with the by value so the overlayField doesn't work. i'm able to make it work in the GUI by manually choosing each concatenated value for a particular search, but it doesn't generalize for the dashboard.

thanks for any suggestions. is it possible to have a wildcard in the field name or something similar, for example?

Re: How to bundle two timecharts that are split by the same field

niketn — Thu, 26 Sep 2019 15:40:38 GMT

@cblanton if you have more than one aggregation along with a split by field in timechart then you will have multiple series names created in regular visualizations which is expected behavior. And this is was Trellis solves. However, if you do not want Trellis could you please elaborate on what works for you in Search but not in dashboard? Also if possible add your search query some dummy sample data and screenshot of the results (both expected and actual). Please mock/anonymize any sensitive information before posting.

Re: How to bundle two timecharts that are split by the same field

cblanton — Mon, 30 Sep 2019 18:17:29 GMT

thanks, @niketnilay, I went ahead and posted this as a new question. https://answers.splunk.com/answers/773306/timechart-of-two-stats-with-split-by-same-field-on.html