Dashboards & Visualizations

Can I show the results of two different searches in one visualization?

zacksoft
Contributor

I have two separate queries,

Query1:
host="A" OR "B" consumed
| eval consume = case (.............)
| stats count by consumed

Query2:
host="A" OR "B" produced
| eval produce = case (.............)
| stats count by produce

In the visualization tab(column chart) I get two nice chart/graph for each queries.
However, I would like a single chart/graph where both the visualization should come side by side.
Example : In X axis red bar showing the amount produced and a blue bar adjacent to it showing the amount consumed for each product.

0 Karma
1 Solution

niketn
Legend

@zacksoft, So something like orancon in your raw data gives oranges consumed and oranpro gives you orange produced. You can try query like the following:

<YourBaseSearch> ("orancon" OR "oranpro")
| stats count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced

Or if you want to show the same over time

<YourBaseSearch> ("orancon" OR "oranpro")
| timechart count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@zacksoft, So something like orancon in your raw data gives oranges consumed and oranpro gives you orange produced. You can try query like the following:

<YourBaseSearch> ("orancon" OR "oranpro")
| stats count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced

Or if you want to show the same over time

<YourBaseSearch> ("orancon" OR "oranpro")
| timechart count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

zacksoft
Contributor

Thanks @niketnilay

0 Karma

sundareshr
Legend

@zacksoft, you could do as @niketnilay suggests here or you can create a new field for "pro_con" or "action" (call it whatever) with two values "produced" or "consumed" and then you can chart over state. Like this should work

    host="A" OR "B" ("orancon" OR "oranpro")
    | eval pro_con=case (match(_raw, "orancon"), "consumed", match(_raw, "oranpro"), "produced", 1=1, "UNK")
    | timechart count by pro_con

    OR
    | stats count by pro_con

    OR 
    | chart count over some_other_grouping_field by pro_con

@niketnilay's search is probably more efficient, whereas the above may be more readable. More options to achieve same result.

djkj957
Engager

@sundareshr worked like a charm!!

0 Karma

zacksoft
Contributor

Thank You @sundareshr

0 Karma

niketn
Legend

@zacksoft, what is the condition for produced and consumed (your eval command)? Ideally you should use eval after stats if possible from performance point of view. Do you mean by side by side or stacked or overlay? Since your base search remains the same you might get the stats together. But you might have to get some sample data and query for us to assist better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

zacksoft
Contributor

The eval command goes like this in Query1,
eval consume=case(like(_raw,"%orancon%"),"OrangeConsumed"
in Query2,
eval produce =case(like(_raw,"%oranpro%"),"OrangeProduced"

Yes, I guess overlay or stacked might solve my problem.

0 Karma

woodcock
Esteemed Legend

Splunk can only come close like this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/VisualizationTrellis

If you need it more stuck/close together then you will have to use a tool like Sideview Utils or roll your JS/html.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...