Dashboards & Visualizations
Highlighted

Overlay Two Graphs Together

Communicator

I have two graphs in a Splunk dashboard that I want to combine/overlay into one, both concerning data from a survey.

The first shows the total number of survey responses: http://imgur.com/a/Q3ebx
Here is the search query:

index=webex_sentiment | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") | eval YearWeek=strftime(surveyDate,"%Y-%U") | search YearWeek!="2016-00" | chart  count(Rating) as NumberRatings by YearWeek | search YearWeek > 2016-12

The second shows the number of survey responses that contained negative sentiment, along with a moving average: http://imgur.com/a/H2ryv
Here is the search query:

index=webex_sentiment | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") |  eval YearWeek=strftime(surveyDate,"%Y-%U") |search YearWeek!="2016-00"| stats count(Rating) as NumberRatings by YearWeek Rating | eventstats sum(NumberRatings) as TotalRatings by YearWeek | eval PercentageRatings=round(NumberRatings/TotalRatings,3) | where Rating=1 OR Rating=2 | stats sum(PercentageRatings) as NegativeSentiment by YearWeek | trendline sma3(NegativeSentiment) AS MovingAverage(NegativeSentiment) 

I want to display both of these lines graphs in a single chart. Please advise.

Highlighted

Re: Overlay Two Graphs Together

Communicator

I'll give 100 karma to the right answer 🙂

Highlighted

Re: Overlay Two Graphs Together

Esteemed Legend

The simplest thing to do is to append them both together and run them through timechart.

Highlighted

Re: Overlay Two Graphs Together

Communicator

@woodcock

How do I do that?

Best,
Matthew

0 Karma
Highlighted

Re: Overlay Two Graphs Together

Legend

Try this:

index=webex_sentiment surveyDate=* Rating=*
| eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M")
| eval YearWeek=strftime(surveyDate,"%Y-%U")
| search YearWeek!="2016-00"
| eval Rating = "Rating" . Rating
| chart count by YearWeek Rating
| addtotals fieldname=NumberRatings Rating*
| eval NegativeSentiment = Rating1 + Rating2
| fields YearWeek NumberRatings NegativeSentiment
| streamstats window=5 avg(NegativeSentiment) as MovingAverage_NegativeSentiment

It is slightly different, but should do the same thing. streamstats calculates a moving average based on the current value plus the previous five values, but you could change that as you like. I just wanted to show an alternative.

View solution in original post

Highlighted

Re: Overlay Two Graphs Together

Communicator

@Iguinn

Thanks so much for your help. I input your code, but my search did not return any results.

Here is the job inspection: http://imgur.com/a/JMv3T

I believe the error may have something to do with the time range, but I'm not positive.

Best,

Matthew

Highlighted

Re: Overlay Two Graphs Together

Legend

I think the error is because you put the word "search" at the very begging of the command line.

The search command is implied. By putting the word "search" in the box, you asked Splunk to identify events with the literal keyword "search" in them. There probably aren't any events like that in your data. 😄

Highlighted

Re: Overlay Two Graphs Together

Communicator

@lguinn

I believe the problem may be elsewhere. I input your code here: http://imgur.com/a/In8ij

However, there are still no events shown.

In the picture from my last comment, the "search" term was shown because I was inspecting the job.

Thanks again; please let me know how to fix this if you can 🙂

0 Karma
Highlighted

Re: Overlay Two Graphs Together

Legend

What do you get if you just run the first part of the search

 index=webex_sentiment surveyDate=* Rating=*
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M")
 | eval YearWeek=strftime(surveyDate,"%Y-%U")
Highlighted

Re: Overlay Two Graphs Together

Communicator

@lguinn thanks so much!

I found the problem was the "surveyDate=* Rating=*" at the start of the query.

I deleted that phrase then re-ran your initial code:

index=webex_sentiment 
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M")
 | eval YearWeek=strftime(surveyDate,"%Y-%U")
 | search YearWeek > "2016-12"
 | eval Rating = "Rating" . Rating
 | chart count by YearWeek Rating
 | addtotals fieldname=NumberRatings Rating*
 | eval NegativeSentiment = Rating1 + Rating2
 | fields YearWeek NumberRatings NegativeSentiment
 | streamstats window=5 avg(NegativeSentiment) as MovingAverage_NegativeSentiment

I received this graph: http://imgur.com/a/sC0Xz

However, this displays the number of surveys with negative sentiment, rather than the percentage of surveys with negative sentiment.

How do I make this change?