Dashboards & Visualizations

Charts getting overlapped and doesnt display properly

asubramanian
Explorer

I am creating a chart based on a log message value which can have say around 4 value. below is a sample search query

index=_internal
"INFO  Metrics - group=search_health_metrics"
 | rex field=_raw "name=(?<metric_name>(\S+)),"
 | where isnotnull(metric_name)
 |  eval token_type=case(metric_name="compute_search_quota", "value1", metric_name="bundle_directory_reaper", "value2", metric_name="dispatch_directory_reaper", "value3", metric_name="distributed_peer_heartbeat", "value4")
 | eval _stat1=if(token_type="value1", 1, 0)
 | eval _stat2=if(token_type="value2", 1, 0)
 | eval _stat3=if(token_type="value3", 1, 0)
 | eval _stat4=if(token_type="value4", 1, 0)
 | stats sum(_stat1) as Stat1, sum(_stat2) as Stat2, sum(_stat3) as Stat3, sum(_stat4) as Stat4

The charts are showing up overlapped for ex, stat1 is getting displayed on top of stat2. but if I show as table the stats shows correctly.

Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

Easy way:

index=_internal "INFO  Metrics - group=search_health_metrics" 
| rex field=_raw "name=(?<metric_name>(\S+))," 
| eval Stats=case(metric_name="compute_search_quota", "Stat1", metric_name="bundle_directory_reaper", "Stat2", metric_name="dispatch_directory_reaper", "Stat3", metric_name="distributed_peer_heartbeat", "Stat4",true(),NULL) 
| stats count by Stats

Temporary:

| makeresults 
| eval _raw="Stat1,Stat2,Stat3,Stat4
95329,9530,9530,47"
| multikv forceheader=1
| fields - _*, linecount
`comment("the logic is blow")`
| transpose 0
| rename "row 1" as count, column as stats

View solution in original post

to4kawa
Ultra Champion

Easy way:

index=_internal "INFO  Metrics - group=search_health_metrics" 
| rex field=_raw "name=(?<metric_name>(\S+))," 
| eval Stats=case(metric_name="compute_search_quota", "Stat1", metric_name="bundle_directory_reaper", "Stat2", metric_name="dispatch_directory_reaper", "Stat3", metric_name="distributed_peer_heartbeat", "Stat4",true(),NULL) 
| stats count by Stats

Temporary:

| makeresults 
| eval _raw="Stat1,Stat2,Stat3,Stat4
95329,9530,9530,47"
| multikv forceheader=1
| fields - _*, linecount
`comment("the logic is blow")`
| transpose 0
| rename "row 1" as count, column as stats

vnravikumar
Champion

Hi

What do you want to show in x-axis and y-axis?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Can you upload a screenshot of this?

0 Karma

asubramanian
Explorer

@rich7177 Updated the query to use the internal logs and attached the chart I am seeing. In the image you can see stat1 & stat3 are overlapped, below table shows some data

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...