Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a stacked line chart not by time

byu168
Path Finder
‎04-05-2017 03:06 PM

Hi all,

Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart.

Sample table from query 1:

run_id             duration            sum
x                    4                20
                     5                         
                     6
                     5
y                   10                50

Duration is a multivalue field in this case and the sum is just a single sum of all the steps.

Sample table from query 2

run_id step duration cumulative sum
x 1 4 4
x 2 5 9
x 3 6 15
x 4 5 20
y 1 10 10

This table shows the step name and the sum is a cumulative sum (using streamstats).

I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 08:14 PM

Show us some raw events and a mockup of the chart that you desire (I do not get it).

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-05-2017 03:13 PM

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

0 Karma
Reply
Solved! Jump to solution

byu168
Path Finder
‎04-05-2017 03:27 PM

I had intended to avoid using a stacked column chart because I didn't think it would scale well with the amount of runs we had but it actually looks fine. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...