Dashboards & Visualizations

How to get multiple overlays on panel, by time

rnotch
Explorer

Hi, so currently I have the following panel and code:

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$  | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count  by AccountID, status_description

alt text

But what I WANT is for it to look kinda like this...

alt text

...With FOUR overlay lines (one for each response code total count). One axis would be account IDs (probably stacked), the other axis would be time slots. I have pickers for Timeframe (token=field1) and AccountID (token=AccountIDtoken) and timespan (token=span) in place.

That way I could see variation in response codes over time, per account. Any thoughts?

0 Karma

Sukisen1981
Champion

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$ | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count by AccountID, status_description | addtotals | fields status_description, Totals

Now , go to the chart format and select all status_description as overlay

0 Karma

rnotch
Explorer

I'm afraid that search comes up as blank, even when running it in a search bar with the token removed. If I run it with just the "addtotals," it looks identical to before. The last pipe is stripping all the data for some reason.

0 Karma

Sukisen1981
Champion

have you explored streamstats ???

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...