Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a stacked line chart not by time

byu168
Path Finder
‎04-05-2017 03:06 PM

Hi all,

Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart.

Sample table from query 1:

run_id             duration            sum
x                    4                20
                     5                         
                     6
                     5
y                   10                50

Duration is a multivalue field in this case and the sum is just a single sum of all the steps.

Sample table from query 2

run_id step duration cumulative sum
x 1 4 4
x 2 5 9
x 3 6 15
x 4 5 20
y 1 10 10

This table shows the step name and the sum is a cumulative sum (using streamstats).

I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 08:14 PM

Show us some raw events and a mockup of the chart that you desire (I do not get it).

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

0 Karma
Reply
Solved! Jump to solution

byu168
Path Finder
‎04-05-2017 03:27 PM

I had intended to avoid using a stacked column chart because I didn't think it would scale well with the amount of runs we had but it actually looks fine. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...