Splunk Search

Adding a predicted cumulative value to a stacked bar chart

rbolande
Explorer

I wish to take a stacked bar chart, use 'addtotals' to create a field representing the cumulative value of the stacked bars, and then overlay a prediction (using predict) of the cumulative value on the stacked bar chart.  When I try to do this, the stacked bars always revert to side-by-side in the chart.  Here is a look at what I wish to do:

some SPL that generates a sample dataset:

 

 

| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total

 

 

If I create a visualization of this, stack the bars, and add the 'load_total' field as an overlay, I end up with something like this:

rbolande_0-1609365904054.png

 

Now, I wish to add 'predict' to this query to get forecasted values for the cumulative 'load_total' field.  Here is the SPL for that:

 

 

| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4

 

 

Even though the bars are set to be stacked in the format of the chart, they revert to side-by-side.

rbolande_1-1609366848339.png

Any ideas on why the behavior is like this or how I can get the stacked bars?

I believe what I am trying to do is the same as in this post from @renuka , but I wanted to add a little more information.

Thanks,

Reid

Labels (1)
0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4
| fields - _*_total

We need to make the display look like this.

0 Karma

rbolande
Explorer

@to4kawa - Thanks for the response.  Your proposed solution does give me a workaround of sorts (we are currently using something like this).  Here is what the visual looks like:

 
 
 

image.png

 

I am really hoping to get a visual that maintains the "normal" predict confidence level shaded area...with the stacked bars.  Something like this, except with stacked bars:

 

rbolande_0-1609427508676.png

Is there a technical reason that we can't maintain stacked bars while also preserving the shading of the confidence envelope?

Thanks,

REID

0 Karma

rbolande
Explorer

After consulting with Splunk Support and our Splunk Sales Engineer, I have submitted a request for using PREDICT with stacked bars on https://ideas.splunk.com/ideas/EID-I-807

The desired functionality does not seem possible in current versions of Splunk.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!