Archive

Timechart for stacked with multiseries

Esperteyu
Explorer

Hi,

I'm really struggling with something I thought would be easier. I'm trying to display a timeline of ratios between error/total for several type of requests and thought it would be nice if I could use stacked columns for each of them (and as the number of them is big maybe using the trellis visualization) but can't make it work. Looked into many answers and the closes one was this one but as the author says it doesn't work fine.

My query would be something as "simple" as

base_search
| stats count as total sum(error) as errors by request_type

I have honestly lost track of how many things I tried, any help?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@Esperteyu ,

Are you trying to create just a chart with stacked series ? Something similar to this?

<form>
  <label>testing</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_* earliest=-15m |timechart span=5m count,avg(date_hour) by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">minimal</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma

Esperteyu
Explorer

@renjith.nair Not sure if it's a setting but I can't seem to be able to use simple xml (?), can just create dashboards based on searches. But by the look of it I'm not sure if that's what I'm behind as would like a stacked barchart of percentages (for instance errors:10% success:90%) over time for quite a few types as the split by field

0 Karma

Vijeta
Influencer

Can you please share a sample log with field names?

0 Karma

Esperteyu
Explorer

Thanks @Vijeta not sure if helps a lot but with the above query for a given range I get something like this

request_type total errors
BASIC:AUS 10708 527
SCHEMA1:AUS 6469 247
BASIC:USA 18467 230
SCHEMA1:CAN 7385 124
SCHEMA2:USA 6003 86
BASIC:CAN 1477 33
BASIC:UK 3 0
SCHEMA2:AUT 102 0
BASIC:BGR 24 0

I evaluate the request_type from the body of the response log just extracting strings and errors would be evaluated like this | eval error=if(like(response,"%FAILED%"),1,0) before summing them up

0 Karma

adonio
SplunkTrust
SplunkTrust

what is the anticipated result?
maybe consider using eventstats ?

0 Karma

Esperteyu
Explorer

Sorry @adonio but if I understand it properly after streamstats I would need to use a command to make it chartable and that's where I don't get anything useful from the different options I tried

0 Karma