Dashboards & Visualizations

How to get multiple overlays on panel, by time

rnotch
Explorer

Hi, so currently I have the following panel and code:

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$  | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count  by AccountID, status_description

alt text

But what I WANT is for it to look kinda like this...

alt text

...With FOUR overlay lines (one for each response code total count). One axis would be account IDs (probably stacked), the other axis would be time slots. I have pickers for Timeframe (token=field1) and AccountID (token=AccountIDtoken) and timespan (token=span) in place.

That way I could see variation in response codes over time, per account. Any thoughts?

0 Karma

Sukisen1981
Champion

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$ | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count by AccountID, status_description | addtotals | fields status_description, Totals

Now , go to the chart format and select all status_description as overlay

0 Karma

rnotch
Explorer

I'm afraid that search comes up as blank, even when running it in a search bar with the token removed. If I run it with just the "addtotals," it looks identical to before. The last pipe is stripping all the data for some reason.

0 Karma

Sukisen1981
Champion

have you explored streamstats ???

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...