Dashboards & Visualizations

Timechart for stacked with multiseries

Esperteyu
Explorer

Hi,

I'm really struggling with something I thought would be easier. I'm trying to display a timeline of ratios between error/total for several type of requests and thought it would be nice if I could use stacked columns for each of them (and as the number of them is big maybe using the trellis visualization) but can't make it work. Looked into many answers and the closes one was this one but as the author says it doesn't work fine.

My query would be something as "simple" as

base_search
| stats count as total sum(error) as errors by request_type

I have honestly lost track of how many things I tried, any help?

0 Karma

renjith_nair
Legend

@Esperteyu ,

Are you trying to create just a chart with stacked series ? Something similar to this?

<form>
  <label>testing</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_* earliest=-15m |timechart span=5m count,avg(date_hour) by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">minimal</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

Esperteyu
Explorer

@renjith.nair Not sure if it's a setting but I can't seem to be able to use simple xml (?), can just create dashboards based on searches. But by the look of it I'm not sure if that's what I'm behind as would like a stacked barchart of percentages (for instance errors:10% success:90%) over time for quite a few types as the split by field

0 Karma

Vijeta
Influencer

Can you please share a sample log with field names?

0 Karma

Esperteyu
Explorer

Thanks @Vijeta not sure if helps a lot but with the above query for a given range I get something like this

request_type total errors
BASIC:AUS 10708 527
SCHEMA1:AUS 6469 247
BASIC:USA 18467 230
SCHEMA1:CAN 7385 124
SCHEMA2:USA 6003 86
BASIC:CAN 1477 33
BASIC:UK 3 0
SCHEMA2:AUT 102 0
BASIC:BGR 24 0

I evaluate the request_type from the body of the response log just extracting strings and errors would be evaluated like this | eval error=if(like(response,"%FAILED%"),1,0) before summing them up

0 Karma

adonio
Ultra Champion

what is the anticipated result?
maybe consider using eventstats ?

0 Karma

Esperteyu
Explorer

Sorry @adonio but if I understand it properly after streamstats I would need to use a command to make it chartable and that's where I don't get anything useful from the different options I tried

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...