Splunk Search
Highlighted

Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

I have a chart with 4 series and what I am wondering is "can I have a chart overlay with 2 series stacked in a Splunk graph"?

For example can I get the 2 lines(red and purple) in the below graph stacked in the chart overlay
alt text

this is what I am trying to achieve in excel
alt text

0 Karma
Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

SplunkTrust
SplunkTrust

Sure: Select bar chart, select stacked mode, put your two overlay serieses into the chart overlay fields, done.

alt text

Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

thats what I thought. not working on my data. can I just confirm that you know that splunkd and splunkduiaccess are stacked there? Can I have the search to see if i can reproduce at my end? tks

0 Karma
Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

SplunkTrust
SplunkTrust

The search is index=_internal |timechart count by sourcetype, the entire chart configuration is described above already.

Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

checked that with my different data set and pretty sure they are not stacked. hard to confim with my dataset,

In your example above I think splunkd and splunkduiaccess are not stacked.I am not sure but if they were splunkd(the green line) would jump up when splunkduiaccess jumps up(around 10.55pm). thoughts?

0 Karma
Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

SplunkTrust
SplunkTrust

Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

why didn't you say so 🙂 tks. Ill look at doing some preprcessing or as I like to call it fiddling 🙂 But I do think it would be good as an option to be able to stack the chartoverlay, in my case here I am trying to do it on the 2nd y axis, my 2 cents.

0 Karma
Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

SplunkTrust
SplunkTrust

Like this:

index=_internal |timechart span=1m  count by sourcetype | addtotals | eval splunkd_ui_access = Total - splunkd | eval splunkd = Total | fields - Total

alt text

Note how the mongod bar bumps up both lines, and how the splunkduiaccess line bumps up the splunkd line towards the right. Alter the arithmetic if that's not what you're looking for.

Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

tks, kind of but slightly different. have got mie sorted for now.

0 Karma
Highlighted

Re: Can I have a chart overlay with 2 series stacked in a Splunk graph?

Motivator

Can I have a chart overlay with 2 series stacked in a Splunk graph?

thanks to @martin_mueller in the above comments. this is the answer.
Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

View solution in original post

0 Karma