Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can i create trellis with overlays, when the overlap can be dynamic.

robertlynch2020
Influencer
4 weeks ago

Hi

I have an issue with a graph like this.

I have created a way to make the overlays dynamic. So we can see multiple levels in the image.

But ideally, I want this in trellies.

robertlynch2020_1-1761914296216.png

Maxcount is the overlay

robertlynch2020_2-1761914408972.png

 

I do this by generating a token, that has all the overlays.

robertlynch2020_3-1761914457593.png

robertlynch2020_5-1761914572625.png

 

However, if I change this to treilles, it's no good (They all come out in different images).

Ideally, I need them to be grouped Together (By ID). But when you pick trellises, you lose the overlay, and then there is the question of how each graph knows to take what overlay. There is an ID that is the same that might be useful in this case, but I am not sure - any help would be amazing!!!

 

Below, we can see the overlay in different graphs.

robertlynch2020_0-1761917058454.png

However, when I do it on a small example, the overlays go into one graph - Perhaps it's related to the data?

robertlynch2020_0-1761915977566.png

 

 

  <panel>
      <title>Engine Count With MaxCount per Endpoint_Processing</title>
      <chart>
        <search>
          <query>| mstats avg("mx.grid.endpoint.engine.count") as count WHERE "index"="murex_metrics" span=10s AND "mx.env"="$mx_env$" AND service.name="$serviceName$" AND service.namespace="$serviceNamespace$" AND endpoint.name IN ($endpointName$) AND engine.state IN (processing) BY endpoint.name 
| join type=left endpoint.name 
    [| mstats latest("mx.grid.endpoint.expected_engine.count") prestats=true where index=murex_metrics AND "mx.env"="$mx_env$" AND service.name="$serviceName$" AND service.namespace="$serviceNamespace$" AND endpoint.name IN ($endpointName$) BY endpoint.name
    | stats latest("mx.grid.endpoint.expected_engine.count") as desiredCount by endpoint.name 
        ] 
| rename endpoint.name as EndPoint desiredCount as MaxCount 
| eval {EndPoint}_processing = count 
| eval {EndPoint}_MaxCount = MaxCount 
| fields - EndPoint count MaxCount | stats values(*) as * by _time</query>
          <earliest>$global_time_tok.earliest$</earliest>
          <latest>$global_time_tok.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">$Token_CHART_OVERLAY$</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">483</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
3 weeks ago

Hi @robertlynch2020,

As an aside, you can add the hidden fields normally generated by the predict command to instruct SplunkWeb to draw upper and lower control boundaries in both normal and trellis modes. As before, the fields need to be aggregations:

index=_internal  component IN (LicenseUsage Metrics SavedSplunker)
| timechart fixedrange=f limit=0 span=5m usenull=f useother=f count by component
| untable _time component count
``` calculate stdev and mean, although you can use any statistics ```
| eventstats stdev(count) as s avg(count) as u by component
``` calculate limits from statistics ```
| eval lcl=max(0, u-s), ucl=u+s
``` add hidden fields to produce river chart boundaries ```
| stats max(count) as count max(lcl) as lcl max(ucl) as ucl values(eval(tostring("lcl"))) as _lowercount values(eval(tostring("count"))) as _predictedcount values(eval(tostring("ucl"))) as _uppercount by _time component

tscroggins_0-1762291720643.png

 

View solution in original post

Reply
Solved! Jump to solution

tscroggins
Influencer
3 weeks ago

Hi @robertlynch2020,

I'll counter @livehybrid here and note that it should work as long as the overlay fields are aggregations from, e.g., chart, mstats, stats, timechart, or xyseries.

Here's a simplified example using internal logs, timechart, and stats:

index=_internal  component IN (LicenseUsage Metrics SavedSplunker)
| timechart fixedrange=f limit=0 span=5m usenull=f useother=f count by component
| untable _time component count
| eventstats latest(count) as maxcount by component
| stats max(count) as count max(maxcount) as maxcount by _time component

I've used timechart and untable as a shortcut for continuous time output. The eventstats command allows using a single field as an overlay that's aggregated by one or more categorical fields. The subsequent stats command converts the pre-binned count and maxcount values into aggregates recognized by trellis mode:

tscroggins_0-1762279561748.png

The chart uses a global overlay, but because the value is an aggregate, it varies by split-by field.

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Thanks @tscroggins  - I didnt know this so much appreciate your response with example! One to keep in the back pocket 🙂

Will

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
3 weeks ago

Hi @robertlynch2020,

As an aside, you can add the hidden fields normally generated by the predict command to instruct SplunkWeb to draw upper and lower control boundaries in both normal and trellis modes. As before, the fields need to be aggregations:

index=_internal  component IN (LicenseUsage Metrics SavedSplunker)
| timechart fixedrange=f limit=0 span=5m usenull=f useother=f count by component
| untable _time component count
``` calculate stdev and mean, although you can use any statistics ```
| eventstats stdev(count) as s avg(count) as u by component
``` calculate limits from statistics ```
| eval lcl=max(0, u-s), ucl=u+s
``` add hidden fields to produce river chart boundaries ```
| stats max(count) as count max(lcl) as lcl max(ucl) as ucl values(eval(tostring("lcl"))) as _lowercount values(eval(tostring("count"))) as _predictedcount values(eval(tostring("ucl"))) as _uppercount by _time component

tscroggins_0-1762291720643.png

 

Reply
Solved! Jump to solution

robertlynch2020
Influencer
3 weeks ago

Hi - Boths answers are wonderfull -Thanks very much

Reply
Solved! Jump to solution

robertlynch2020
Influencer
3 weeks ago

Hi

Thanks for the Answer on this.

Rob

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
4 weeks ago

Hi @robertlynch2020 

Unfortunately it isnt possible to apply an overlay to a trellis because it splits by each field, therefore you would end up with the overlay field as its own trellis visualisation.

One way you *might* be able to achieve this is using Dashboard Studio and drawing a line graph with you overlay on top of your other charts - it might take a bit of tweaking and adjusting of the axis min/max etc to get the alignment correct but might work!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...