Dashboards & Visualizations

Creating a stacked line chart not by time

byu168
Path Finder

Hi all,

Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart.

Sample table from query 1:

run_id             duration            sum
x                    4                20
                     5                         
                     6
                     5
y                   10                50

Duration is a multivalue field in this case and the sum is just a single sum of all the steps.

Sample table from query 2

run_id step duration cumulative sum
x 1 4 4
x 2 5 9
x 3 6 15
x 4 5 20
y 1 10 10

This table shows the step name and the sum is a cumulative sum (using streamstats).

I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart?

0 Karma
1 Solution

somesoni2
Revered Legend

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

View solution in original post

0 Karma

woodcock
Esteemed Legend

Show us some raw events and a mockup of the chart that you desire (I do not get it).

0 Karma

somesoni2
Revered Legend

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

0 Karma

byu168
Path Finder

I had intended to avoid using a stacked column chart because I didn't think it would scale well with the amount of runs we had but it actually looks fine. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...