For example, I'm creating a dashboard with two timecharts like below:
eventtype="watchlist_result" | timechart span=1h limit=0 first(nDevices) by name | fillnull value=0 eventtype="watchlist_result" | timechart span=1h limit=0 first(nActivities) by name | fillnull value=0
And in the dashboard I configure using 'Trellis' so I get chart for each 'name'... One thing that is cumbersome is that I end up with two panels, and if user wants to look at the
activity count for the same
name, they have to scroll on both panels...
However, I would like to bundle the two timecharts (since they are split by the same field 'name') into one panel, so that charts with same
name are presented together and user just needs to scroll once,
To clarify further, the
name are fields extracted from the event,
Since the charts are all split by the same field
name, i would like to have a way to have the device/activity chart from the same
name shown together like a pair in trellis,,, something look like below:
Merge the timechart for to different series in one and then Use Trellis Formatting Options in UI to Split By
eventtype="watchlist_result" | timechart span=1h limit=0 first(nDevices) as nDevices first(nActivities) as nActivities by name | fillnull value=0
Following is the Simple XML option for Splitting Trellis by
Since your scale for nDevice (in example max is 1) and scale for nActivities differ by a lot ideally you should create a
Chart Overlay also. Following will create an overlay for nDevices with a inherited scale to interpret device increments/decrements easily according to activities.
<option name="charting.axisTitleY.text">nActivities</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.text">nDevices</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart.overlayFields">nDevices</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart.nullValueMode">zero</option>
PS: Chart Overlay is optional but I feel you would be able to get better interpretation with the same.
hi @niketnilay, i've been trying to implement your solution here for the same issue. i would like to use the overlay without trellis, but the fields become a concatenation with the by value so the overlayField doesn't work. i'm able to make it work in the GUI by manually choosing each concatenated value for a particular search, but it doesn't generalize for the dashboard.
thanks for any suggestions. is it possible to have a wildcard in the field name or something similar, for example?
@cblanton if you have more than one aggregation along with a split by field in timechart then you will have multiple series names created in regular visualizations which is expected behavior. And this is was Trellis solves. However, if you do not want Trellis could you please elaborate on what works for you in Search but not in dashboard? Also if possible add your search query some dummy sample data and screenshot of the results (both expected and actual). Please mock/anonymize any sensitive information before posting.
Thanks a lot for the reply, just updated my question with more context on exactly what I want,,,
Unfortunately i do not want to use overlay with separate scales,,, just would like to know if there is a way to bundle/pair two time charts split by the same field,
If you do not want to overlay you can just choose to create Combined timechart and split Trellis by name. You need not perform the subsequent steps for chart overlay... they were just a suggestion.
Start with this...
eventtype="watchlist_result" | eval fan = mvrange(0,2) | mvexpand fan | eval value=if(fan=0,nDevices,nActivities) | eval type=if(fan=0,name." Devices", name." Activities") | timechart span=1h limit=0 first(value) by type | fillnull value=0
I'm not sure exactly what the meaning of
nActivities is, or why you have
by name but have only one set of results, but this should produce a results that combines your prior two results into a single