Splunk Search

Chart overlay graphs not in sync

Norling80
Path Finder

Hey guys, does anyone of you know why this happens when on dashboard with chart overlay elements? I only experience it when I look at charts over 1 week of time.

alt text

Tags (2)
0 Karma

chimell
Motivator

Hi Norling80
Just copy and test this dashboard xml code

<dashboard>
  <label>dashboard_name</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">true</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.overlayFields">dc_with_all_ActionTaken</option>
        <option name="charting.axisTitleY.text">dc_with_one_ActionTaken</option>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma

intelsubham
Explorer

It is possible that when you are running the search for longer duration, values for some rows in one of the searches is null which is resulting in gap.
try to include fillnull at the end of both searches and run again.

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) |fillnull value=0 | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)|fillnull value=0 ]

0 Karma

Norling80
Path Finder

I still have the same problem, at this point it seems to be a problem with the timestamp, I will look into it and update this thread.

0 Karma

MichaelPriest
Communicator

Have you got an example of the search or data?

0 Karma

Norling80
Path Finder

Here you go

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]

0 Karma

Arun_N_007
Communicator

Hi,

Could you please have a look into the table which generated this graph?

Check whether the values are in sync??

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...