Dashboards & Visualizations

How can I create a Splunk conditional multiline chart?


Hi there,

I have spent 3 days looking for an answer with no luck, I'm hoping that someone here can help.

I want to create one panel with one chart. I want the chart to have multiple lines that are created by different queries. I want to have a checkbox for each query/line, so that when you check the box, its corresponding query gets run and the resulting line appears.

Git example let's say I have the following queries:

1) Search message = "abcd" | timechart count AS abcd

2) Search message = "efgh" | timechart count AS efgh

3) Search message = "ijkl" | timechart count AS ijkl

And so on...

I want these checkboxes: A, E, I....  let's say

When none of the boxes are check I don't want to see any lines on the chart. When I click A I want to see the data for abcd search appear on the chart. When I click on E, I want to see the efgh line appear on top of the abcd line. When I click I, I want to see the ijkl line appear on top of the other two. If I uncheck E, I want to see efgh line disappear but other two remain... You get the idea.


I want to add as many queries as I want, and have a checkbox for each query, and show the result line of that query on top of other lines when I click on its checkbox.


Is this possible? I'd appreciate any help for this.

Many thanks,




Labels (5)
0 Karma



I think that you can do most of it, but getting the last clicked chart on top of pile, I don't know maybe with JS/CSS, but I'm not expert with those.

I suppose that you are knowing how to do dasboards and use tokens, so I don't explains those in detail/example levels.

You should try something like base search which collect all those events instead of use several separate almost equal searches. I use _audit as example


index=_audit action=*
| timechart span=5m count(eval(action=="search")) as abc count(eval(action=="list_health")) as def count(eval(action=="list_workload_pools")) as ghi count(eval(action=="never happened")) as jkl


With that query you will get all needed data with one real query. Then create separate queries for every checkbox like


```use base search ``
| fields _time <abc field name etc.>


 Then use tokens for visibility (depends) for those panels which you have clicked.

I suppose that with this base idea you should have everything else than this "random" order.

r. Ismo

0 Karma


Thank you for your reply, it is very informative. However, one of the motivation for running separate queries is to speed up the search by switching the unwanted ones off. if I have one search that collects all the data I would be waiting a log time. However, your solution could work if we accept that it will be a slow response. Can you elaborate on your answer, you mentioned "depends" but that is for panels, I want to have one panel with multiple lines on one chart. Do you think that is possible? thanks

0 Karma


Is one base search with chain searches or several searches more efficient is something what you must check with your environment.  With several searches you probably need to read much more events from disk than with one base + chain, but of course it depends on your real searches.

If/when you want to put all in one panel/chart it's doable and actually the norma way to do it.

With SimpleXML You should just use tokens to select what values you want to see. Something like

<form version="1.1">
  <fieldset submitButton="false" autoRun="true">
    <input type="multiselect" token="tp_tok" searchWhenChanged="true">
      <choice value="*">All</choice>
      <prefix>foobar IN (</prefix>
        <query>| tstats count where host="xxx" index="xyz" sourcetype="abc" by foobar</query>
      <title>TITLE for Graph</title>
          <query>host="xx" index="xyz" sourcetype="abc" $tp_tok$
| timechart sum(as_lkm) as as_lkm by foobar</query>
.... some options removed ....

Here is heavily modified/removed lines etc. from one dashboard which I have. Probably didn't work as it, but I hope that you would get the idea from here. 

Basically that get those "foobar" values from index and then you could select which one you are showing on dashboard. Default is that you are seeing all.


Hi @SkyeCoder,

if I correctly understood you requirement, it's possible.

See in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) Link switches dashboard.




Hi there, thanks for your answer, the link returns 404 error for me, do you have a working one I can use? thanks

0 Karma


Hi @SkyeCoder ,

sorry! there was a copy and past error, please try this: https://splunkbase.splunk.com/app/1603



Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...