Dashboards & Visualizations

## How to combine three (x,y) coord series into one graph?

Path Finder

Hi,

I have 3 simple graphs generated by these three queries respectively

``````index=“app_event” | eval starttime = strftime (\$\$payload.beginVal\$\$, “%F %T.%9Q”) | chart count(starttime) as BeginVal by starttime

index=“app_event” | eval endtime  = strftime (\$\$payload.endVal\$\$, “%F %T.%9Q”) | chart count(endtime) as EndVal by endtime

index=“app_event” | eval otherttime = strftime (\$\$payload.anotherVal\$\$, “%F %T.%9Q”) | chart count(othertime) as OtherVal by othertime
``````

The count values are always 1. So coords can be assumed to be like

``````1. (1,1) , (3,1) (7,1)
2. (2,1), (5,1) (11,1)
3. (4,1), (8,1)
``````

I want to merge these three charts into one chart by x axis value such that resultant chart looks like
`(1,1) (2,1) (3,1) (4,1) (5,1) (7,1)` and so on. But when I hover over the bar columns I want to be able to know the source of th column that is, is it BeginVal, EndVal or OtherVal.

Thanks!

Tags (3)
1 Solution
SplunkTrust

Seems like you are overcomplicating your life.

Try something like this...

``````index=“app_event”
| eval myFan=mvrange(0,3)
| mvexpand myFan
| eval phase=case(myFan=0,"Start", myFan=1,"End", myFan=2,"Other")
| timechart count by phase
``````

The above assumes that the phase time values were epoch times (or your `strftime` would not have worked)

If `timechart` won't work for your purposes, you can do this as well...

``````| eval Time= strftime (_time, “%F %T.%9Q”)
| chart count by Time phase
``````

... although you can choose the order, TIme phase or phase time, and so on.

SplunkTrust

Seems like you are overcomplicating your life.

Try something like this...

``````index=“app_event”
| eval myFan=mvrange(0,3)
| mvexpand myFan
| eval phase=case(myFan=0,"Start", myFan=1,"End", myFan=2,"Other")
| timechart count by phase
``````

The above assumes that the phase time values were epoch times (or your `strftime` would not have worked)

If `timechart` won't work for your purposes, you can do this as well...

``````| eval Time= strftime (_time, “%F %T.%9Q”)
| chart count by Time phase
``````

... although you can choose the order, TIme phase or phase time, and so on.

Path Finder

Thanks DalJeanis, this worked out. Now lets say "other" comes from a different index. How would we modify the query then? Should we use multisearch?

Path Finder

Hey @DalJeanis
When we hover over the chart columns it shows the phase name and the count(as expected). Is it possible to add more labels to the column? I want to be able to see the value of \$\$payload.eventID\$\$ for each column. It is guaranteed that for all columns(with count 1 or more) the payload.eventID will be the same.

SplunkTrust

@dhruv101 - that is a very different question. You should probably post a new question with those specific needs, and hope for an answer from one of my colleagues that specializes in dashboard behavior.

Path Finder

Sounds good. Thanks so much!

SplunkTrust

You can if you want, but it isn't needed. You just OR together whatever you need before the first pipe.

`````` ( index=“app_event” ... any other search terms to narrow the first kind of record ...) OR
( index=“foo”  ... any other search terms to narrow the second kind of record ...)
| fields ...list all the fields that you need from either kind of record...
``````
Path Finder

Hey DalJeanis, could you also briefly explain the code you have written? I dont clearly understand why we need the myFan variable and what case(myFan=0) evaluates to since its not myFan == 0, but rather an assignment. Thanks, I would really appreciate your help.

SplunkTrust

@dhruv101 - luckily, splunk can only do assignment in the context of an `eval` or stats-type aggregate function use, so that code is just an equality test. Splunk will let you code the test as `=` or `==` in almost all cases. (You are right that `==` is unambiguous, so please feel free to code it that way.)

'myFan', in combination with the `mvexpand` verb, is one method of turning a single event into 3 events. `mvrange(0,3)` produces a field that has three values - `(0,1,2)`. `Mvexpand` then produces three events, one with each value. Multivalue fields are indexed using a zero base, so I'm in the habit of starting at zero. In this case, it could have been `mvrange(17,20)` and would have produced a different three values `(17,18,19)`. The rest of the code creates a different kind of record for each value of myFan.

Here, we've reset the value of `_time` to a different thing for each type of record... that's the main reason why we couldn't just do the `timechart` all without splitting up the records.

Path Finder

I see. Thanks a lot for the detailed explanation @DalJeanis!

.conf21 CFS Extended through 5/20!

### Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Get Updates on the Splunk Community!