https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319999#M95640 <P>I can't explain why there is an issue, but I think I can help you another way.</P> <P>Try this instead. Improves performance by using <CODE>tstats</CODE> and removes the ambiguity of using <CODE>appendcols</CODE>.</P> <PRE><CODE> index=my_index | eval _time = strptime(Closed, "%Y-%m-%d %H:%M:%S") | chart limit=0 count over _time span=1w by Category | append [ tstats count as inbound where index=my_index by _time span=1w] | timechart span=1w latest(*) as * </CODE></PRE> Mon, 27 Feb 2017 18:57:55 GMT rjthibod 2017-02-27T18:57:55Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319996#M95637 <P>Hello All,</P> <P>Currently using Splunk 6.5.1.</P> <P>As the question implies, I have a search that uses the <CODE>appendcols</CODE> command to add an additional column to a timechart making sure to use the same interval so it aligns correctly. I've added this new column as an overlay to the chart, but keeping it on the same axis.</P> <P>I've noticed that the interactive nature of the chart is lost so I cannot highlight any values. The only way to solve it is to remove the <CODE>appendcols</CODE> command. Is this a known issue, or is there a way to fix it?</P> <P>Thank you and best regards,</P> <P>Andrew</P> Mon, 27 Feb 2017 15:36:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319996#M95637 andrewtrobec 2017-02-27T15:36:47Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319997#M95638 <P>The community can most efficiently help you if you share details about your search. Please share your SPL if you can.</P> Mon, 27 Feb 2017 16:28:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319997#M95638 rjthibod 2017-02-27T16:28:16Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319998#M95639 <P>Thanks for the response!</P> <P>Here is the SPL:</P> <PRE><CODE>index=my_index | eval _time = strptime(Closed, "%Y-%m-%d %H:%M:%S") | timechart span=1w count by Category | appendcols [ search index=my_index | timechart span=1w count as inbound ] </CODE></PRE> <P>This will generate a table that looks like this:</P> <PRE><CODE>_time,cat_a,cat_b,cat_c,cat_d,inbound 2016-08-04,0,3,1,2,1 2016-08-11,0,3,8,0,0 2016-08-18,0,22,10,12,36 2016-08-25,0,15,42,7,70 2016-09-01,0,39,56,12,137 2016-09-08,0,29,61,5,98 2016-09-15,0,29,65,7,242 2016-09-22,0,22,24,2,219 2016-09-29,0,16,13,2,228 2016-10-06,0,16,4,4,231 2016-10-13,0,6,6,2,256 2016-10-20,0,5,17,3,211 </CODE></PRE> <P>When formatting the chart, the first thing I notice is that when I try to make <CODE>Inbound</CODE> as an overlay, the list of fields does not prepopulate as it usually does (I have to type it all in manually):</P> <P><IMG src="http://i.imgur.com/TE1LiTG.png" alt="alt text" /></P> <P>The final result is the following, but it is not interactive:</P> <P><IMG src="http://i.imgur.com/8pVMzN2.png" alt="alt text" /></P> <P>I hope this helps to clarify the situation!</P> <P>Thank you and best regards,</P> <P>Andrew</P> Mon, 27 Feb 2017 18:40:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319998#M95639 andrewtrobec 2017-02-27T18:40:30Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319999#M95640 <P>I can't explain why there is an issue, but I think I can help you another way.</P> <P>Try this instead. Improves performance by using <CODE>tstats</CODE> and removes the ambiguity of using <CODE>appendcols</CODE>.</P> <PRE><CODE> index=my_index | eval _time = strptime(Closed, "%Y-%m-%d %H:%M:%S") | chart limit=0 count over _time span=1w by Category | append [ tstats count as inbound where index=my_index by _time span=1w] | timechart span=1w latest(*) as * </CODE></PRE> Mon, 27 Feb 2017 18:57:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/319999#M95640 rjthibod 2017-02-27T18:57:55Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320000#M95641 <P>Hello and thanks for the suggestion.</P> <P>In my case I am tracking items that have an <CODE>open</CODE> date and a <CODE>closed</CODE> date, with _time set to the <CODE>open</CODE> date. What I want to do is show how many items are closed per week while also showing how many items are opened. The <CODE>appendcols</CODE> command seems ideal, and I can avoid calling an external script to process the data. Unless there is another way?</P> <P>Best regards,</P> <P>Andrew</P> Tue, 28 Feb 2017 06:41:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320000#M95641 andrewtrobec 2017-02-28T06:41:48Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320001#M95642 <P>OK understood. Going back to your original, try this.</P> <PRE><CODE>index=my_index | chart limit=0 count over _time span=1w by Category | append [ tstats count as inbound where index=my_index by _time span=1w] | timechart span=1w latest(*) as * </CODE></PRE> Tue, 28 Feb 2017 11:43:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320001#M95642 rjthibod 2017-02-28T11:43:21Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320002#M95643 <P>This works, I had to add an <CODE>eval</CODE> to set <CODE>_time</CODE> to <CODE>Closed</CODE>, but the structure is perfect.</P> <P>In the meantime I found another way of doing it:</P> <PRE><CODE> index=my_index | eval _time = strptime(Closed, "%Y-%m-%d %H:%M:%S") | timechart span=1w count by Category | join type=left _time [ search index=my_index | timechart span=1w count as inbound ] </CODE></PRE> <P>(all I did was replace <CODE>appendcols</CODE> with a <CODE>join type=left _time</CODE>)</P> <P>In my solution the join type means that the leftmost search will determine which values to show, whereas yours will show instances of the rightmost search where there is no match with the leftmost search.</P> <P>Thank you very much!</P> <P>Regards,</P> <P>Andrew</P> Tue, 28 Feb 2017 12:32:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320002#M95643 andrewtrobec 2017-02-28T12:32:34Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320003#M95644 <P>I am sorry for removing the <CODE>eval</CODE> from my solution. That was an error on my part.</P> <P>In general, you should avoid using <CODE>join</CODE> as much as possible. There are numerous entries in Splunk answers and a Splunk .conf 2016 talk about why. I will update my original answer with my latest one. You should accept that answer as the final solution.</P> Tue, 28 Feb 2017 13:22:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320003#M95644 rjthibod 2017-02-28T13:22:01Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320004#M95645 <P>Thank you so much, this works perfectly! I have one additional query:</P> <P>I see that <CODE>tstats</CODE> is fast for index-time fields and works in this particular case. What is the best approach, though, if the appended search has to apply filters and perform more advanced operations? Here is a similar scenario:</P> <PRE><CODE>index=my_index | search Category="A") | timechart span=1d count as EnterCount | join type=left _time [ search index=my_index | search (Category="A") | eval _time = strptime(Exit, "%Y-%m-%d %H:%M:%S") | timechart span=1d count as ExitCount ] | fillnull value=0 </CODE></PRE> <P>How would the <CODE>join</CODE> be replaced with <CODE>append</CODE> in this case?</P> <P>Best regards,</P> <P>Andrew</P> Tue, 28 Feb 2017 14:16:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320004#M95645 andrewtrobec 2017-02-28T14:16:15Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320005#M95646 <P>Here is an improved version.</P> <P>Note, your filter of <CODE>Category="A"</CODE> should be moved to the first search step where it will be much, much faster.</P> <P>You can almost always replace <CODE>join _time type=left</CODE> with <CODE>append</CODE> followed by <CODE>stats</CODE>, <CODE>chart</CODE>, or <CODE>timechart</CODE> that will transform the data on the <CODE>_time</CODE> dimension. In my example, I don't merge the columns until the last command.</P> <PRE><CODE>index=my_index Category="A" | chart count as EnterCount over _time span=1d | append [ search index=my_index Category="A" | eval _time = strptime(Exit, "%Y-%m-%d %H:%M:%S") | chart count as ExitCount over _time span=1d ] ] | timechart span=1d latest(*) as * | fillnull value=0 </CODE></PRE> Tue, 28 Feb 2017 15:38:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-chart-lose-interactivity-with-a-search-using-quot/m-p/320005#M95646 rjthibod 2017-02-28T15:38:37Z