Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a stacked line chart not by time

byu168
Path Finder
‎04-05-2017 03:06 PM

Hi all,

Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart.

Sample table from query 1:

run_id             duration            sum
x                    4                20
                     5                         
                     6
                     5
y                   10                50

Duration is a multivalue field in this case and the sum is just a single sum of all the steps.

Sample table from query 2

run_id step duration cumulative sum
x 1 4 4
x 2 5 9
x 3 6 15
x 4 5 20
y 1 10 10

This table shows the step name and the sum is a cumulative sum (using streamstats).

I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 08:14 PM

Show us some raw events and a mockup of the chart that you desire (I do not get it).

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

0 Karma
Reply
Solved! Jump to solution

byu168
Path Finder
‎04-05-2017 03:27 PM

I had intended to avoid using a stacked column chart because I didn't think it would scale well with the amount of runs we had but it actually looks fine. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

  Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...