I wish to take a stacked bar chart, use 'addtotals' to create a field representing the cumulative value of the stacked bars, and then overlay a prediction (using predict) of the cumulative value on the stacked bar chart. When I try to do this, the stacked bars always revert to side-by-side in the chart. Here is a look at what I wish to do:
some SPL that generates a sample dataset:
| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
If I create a visualization of this, stack the bars, and add the 'load_total' field as an overlay, I end up with something like this:
Now, I wish to add 'predict' to this query to get forecasted values for the cumulative 'load_total' field. Here is the SPL for that:
| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4
Even though the bars are set to be stacked in the format of the chart, they revert to side-by-side.
Any ideas on why the behavior is like this or how I can get the stacked bars?
I believe what I am trying to do is the same as in this post from @renuka , but I wanted to add a little more information.
Thanks,
Reid
| makeresults count=20
| streamstats count AS count
| eval _time=now()+(count*43200)
| eval n=(random() % 1000000) + 1
| eval load=100*count*n
| eval host_name=if(count%2==0,"host1", "host2")
| timechart span=1d avg(load) AS load by host_name
| addtotals host* fieldname=load_total
| predict load_total algorithm=LLT future_timespan=4
| fields - _*_total
We need to make the display look like this.
@to4kawa - Thanks for the response. Your proposed solution does give me a workaround of sorts (we are currently using something like this). Here is what the visual looks like:
I am really hoping to get a visual that maintains the "normal" predict confidence level shaded area...with the stacked bars. Something like this, except with stacked bars:
Is there a technical reason that we can't maintain stacked bars while also preserving the shading of the confidence envelope?
Thanks,
REID
After consulting with Splunk Support and our Splunk Sales Engineer, I have submitted a request for using PREDICT with stacked bars on https://ideas.splunk.com/ideas/EID-I-807
The desired functionality does not seem possible in current versions of Splunk.