I’m on Splunk version 4.3.2I have a simple query that I can render as a bar chart but I’ve a problem to make my bar chart to be stacked. Is there any requirement for the Splunk query in order to produce proper stacked bar chart. Is there something that I need to know?
The only search-language piece, is to make sure you're using the timechart or chart command to have one field's values basically down the left hand side of the table, and a second field's values listed along the column headers of the table. It looks like you're doing this already, and the rest of it is not something you do in the search language but rather in the dashboard settings.
If you're using the dashboard wizard UI look inside the "Edit Visualization" options for a "stacked" option. It should be pretty easy to find.
If you're hand-editing simple XML, then add
and if you're using the "Advanced XML", then put
inside a HiddenChartFormatter just upstream from your JSChart or FlashChart.
I am also facing the same issue. I am using the below query to generate a stacked bar graph but somehow it's not giving me stacked bar graph output. I tried selecting the stacked graph option but didn't helped. Also tried adding the XML entry but still no luck.
|inputlookup Tickets2.csv |search Status=Pending | eval tnow=now() | eval ptime=strptime(Logged_on,"%d/%m/%Y") | eval age=tnow-ptime | search age<1296000 | stats count by Logged_on,Type
Not sure what's the error.
stats count by Logged_on, Type will give you what's sometimes called "stats style" output rows. This isn't what you want, and it can't really be "stacked".
What you want is
chart count over Logged_on by Type, and this is called "chart style" output rows.
And last but not least, "chart style" rows can be stacked.
Further reading - sometimes in really advanced cases you need to kinda flip things around from one style of rows to another, and this is what xyseries and untable are for, if you've ever wondered. xyseries is an advanced command whose main purpose in life is to turn "stats style" output rows into "chart style" output rows, and untable does the opposite.
Thanks, this is the search I've been playing with:
index=* request_id=$request_id$ |`rex_stats`|eval System_CPU_load = round(System_CPU_load *100\,2)|stats max(System_CPU_load) as max_cpu_usage by task_id,phase_id|eval xlabel=phase_id|chart avg(max_cpu_usage) by xlabel,phase_id|rename xlabel AS phase_id|rename avg(max_cpu_usage) as "Average CPU Usage(%)"