Splunk Search

Adding a predicted cumulative value to a stacked bar chart

rbolande
Explorer

I wish to take a stacked bar chart, use 'addtotals' to create a field representing the cumulative value of the stacked bars, and then overlay a prediction (using predict) of the cumulative value on the stacked bar chart.  When I try to do this, the stacked bars always revert to side-by-side in the chart.  Here is a look at what I wish to do:

some SPL that generates a sample dataset:

 

 

| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total

 

 

If I create a visualization of this, stack the bars, and add the 'load_total' field as an overlay, I end up with something like this:

rbolande_0-1609365904054.png

 

Now, I wish to add 'predict' to this query to get forecasted values for the cumulative 'load_total' field.  Here is the SPL for that:

 

 

| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4

 

 

Even though the bars are set to be stacked in the format of the chart, they revert to side-by-side.

rbolande_1-1609366848339.png

Any ideas on why the behavior is like this or how I can get the stacked bars?

I believe what I am trying to do is the same as in this post from @renuka , but I wanted to add a little more information.

Thanks,

Reid

Labels (1)
0 Karma

to4kawa
Ultra Champion
| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4
| fields - _*_total

We need to make the display look like this.

0 Karma

rbolande
Explorer

@to4kawa - Thanks for the response.  Your proposed solution does give me a workaround of sorts (we are currently using something like this).  Here is what the visual looks like:

 
 
 

image.png

 

I am really hoping to get a visual that maintains the "normal" predict confidence level shaded area...with the stacked bars.  Something like this, except with stacked bars:

 

rbolande_0-1609427508676.png

Is there a technical reason that we can't maintain stacked bars while also preserving the shading of the confidence envelope?

Thanks,

REID

0 Karma

rbolande
Explorer

After consulting with Splunk Support and our Splunk Sales Engineer, I have submitted a request for using PREDICT with stacked bars on https://ideas.splunk.com/ideas/EID-I-807

The desired functionality does not seem possible in current versions of Splunk.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...