Splunk Search

Can I have a chart overlay with 2 series stacked in a Splunk graph?

HattrickNZ
Motivator

I have a chart with 4 series and what I am wondering is "can I have a chart overlay with 2 series stacked in a Splunk graph"?

For example can I get the 2 lines(red and purple) in the below graph stacked in the chart overlay
alt text

this is what I am trying to achieve in excel
alt text

0 Karma
1 Solution

HattrickNZ
Motivator

Can I have a chart overlay with 2 series stacked in a Splunk graph?

thanks to @martin_mueller in the above comments. this is the answer.
Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

View solution in original post

0 Karma

HattrickNZ
Motivator

Can I have a chart overlay with 2 series stacked in a Splunk graph?

thanks to @martin_mueller in the above comments. this is the answer.
Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure: Select bar chart, select stacked mode, put your two overlay serieses into the chart overlay fields, done.

alt text

martin_mueller
SplunkTrust
SplunkTrust

Like this:

index=_internal |timechart span=1m  count by sourcetype | addtotals | eval splunkd_ui_access = Total - splunkd | eval splunkd = Total | fields - Total

alt text

Note how the mongod bar bumps up both lines, and how the splunkd_ui_access line bumps up the splunkd line towards the right. Alter the arithmetic if that's not what you're looking for.

HattrickNZ
Motivator

tks, kind of but slightly different. have got mie sorted for now.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

HattrickNZ
Motivator

why didn't you say so 🙂 tks. Ill look at doing some preprcessing or as I like to call it fiddling 🙂 But I do think it would be good as an option to be able to stack the chartoverlay, in my case here I am trying to do it on the 2nd y axis, my 2 cents.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The search is index=_internal |timechart count by sourcetype, the entire chart configuration is described above already.

HattrickNZ
Motivator

checked that with my different data set and pretty sure they are not stacked. hard to confim with my dataset,

In your example above I think splunkd and splunkd_ui_access are not stacked.I am not sure but if they were splunkd(the green line) would jump up when splunkd_ui_access jumps up(around 10.55pm). thoughts?

0 Karma

HattrickNZ
Motivator

thats what I thought. not working on my data. can I just confirm that you know that splunkd and splunkd_ui_access are stacked there? Can I have the search to see if i can reproduce at my end? tks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...