topic Re: How to overlay 2 searches to generate linechart and area chart? in Splunk Search

How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Sat, 22 Nov 2014 06:28:56 GMT

Using 6.1, I would like to create a horizontal line with area chart. I have read so many examples and my search command has produce very close result. Only thing missing is to show by sourcetype limit=n (number). Here's my command:

index=name | bin _time span=15m | eventstats max(total_capacity) as Available | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

Right now it shows the horizontal line which is available and under is the area chart which is current_usage. very close to what i want.

I would like to some how show current_usage is a sourcetype. example: by sourcetype limit=n (number). Instead solid area chart, it has a breakdown what the sourcetype is. sourcetype = powertools (hammer, wrench, screwdriver, etc).

Thanks.

Re: How to overlay 2 searches to generate linechart and area chart?

martin_mueller — Sat, 22 Nov 2014 14:29:00 GMT

I'm not quite sure if I understand your question correctly, are you trying to split the area by sourcetype but still show one overlay line overall?

Try this:

  index=name
| timechart span=1h sum(eval(quantity/12)) as current_usage max(total_capacity) as available by sourcetype
| rename "current_usage: *" as * | eval available = 0
| foreach "available: *" [eval available = if(isnull('<<FIELD>>' OR '<<FIELD>>' < available, available, '<<FIELD>>')]
| eventstats max(available) as available | fields - "available: *"

Re: How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Mon, 28 Sep 2020 18:14:58 GMT

sorry for the confusion. Basically i want to show two charts: line and area where the area would like to breakdown what current_usage is. current_usage is powertools. Powertools has hammer, wrench, screwdriver, etc.

Re: How to overlay 2 searches to generate linechart and area chart?

martin_mueller — Sat, 22 Nov 2014 16:57:21 GMT

That doesn't reduce my confusion. If the search I posted earlier doesn't miraculously do what you need you should post a batch of sample data along with how you want the chart to look like.

Re: How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Mon, 28 Sep 2020 18:15:01 GMT

basically, if I break the last search:

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

replace it with

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h by sourcetype limit=10

The area chart wll display 10 sourcetypes. Hope this helps.

Re: How to overlay 2 searches to generate linechart and area chart?

martin_mueller — Sun, 23 Nov 2014 11:18:13 GMT

My search doesn't yield ten sourcetypes and one available column?

Re: How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Sun, 23 Nov 2014 16:29:31 GMT

sorry again, use this link as example http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart. Example one is a stacked bar chart, the type is ProductName. Instead of bar chart, mine is stacked area chart with 10 types shown. Maybe i was using the wrong terminology, sourcetype vs type.

Re: How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Mon, 24 Nov 2014 03:30:53 GMT

you are correct that your search will not yield 10 sourcetypes and one available column if you use the original search. My question was how to change it to display 10 sourcetypes on the visualization tab with the line chart and area chart and 10 columns on the Statistics tab

Re: How to overlay 2 searches to generate linechart and area chart?

mmouse88 — Mon, 24 Nov 2014 17:30:25 GMT

I was able to figure this out by using "appendcols"