Dashboards & Visualizations

Why does chart overlay on not like colons in chrome?

| makeresults | eval value=1 | stats count as "count: 1", count by value

If you try to use chart overlay with "count: 1" using the above query, nothing happens.  It doesn't apply the overlay.  If you try with "count", it works as expected.  Both have worked in the past.  Is this fixed in a future version?  I didn't see it on the known issues page.  Thanks.


Labels (1)


Gah, thank you for posting this, I was second guessing myself.  I'm running into the same issue, not realizing it was the colons. 

This is not browser-specific:  I can repo in Safari and Firefox as well.

If I may tweak your repo into something that Splunk causes:


| makeresults | eval value=1 | timechart fixedrange=false max(value) as max, count by value


Chart overlay will not work with the timechart result because Splunk creates the fields "count: 1" and "max: 1".

Workaround: rename all the fields without the colon:


| rename "count: 1" as count_1, "max: 1" as max_1


Now you can put either field into the overlay.  This doesn't scale with lots of data though.

My Splunk:

Splunk Enterprise
Build: ae6821b7c64b

Tags (1)
0 Karma


It is actually the spaces, not the colons.  It works on newer versions of splunk if you can update.

The only other workaround I'm aware of is using the Trellis view.


Ah, thanks for the update. I'm glad its been addressed. I read thru all the subsequent Release Notes 8.2.4-9.0 and didn't spot it. 

I'll get a support ticket submited to track down which version specifically fixes it.

Thank you!



0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...