Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart overlay graphs not in sync

Norling80
Path Finder
‎05-26-2015 02:21 AM

Hey guys, does anyone of you know why this happens when on dashboard with chart overlay elements? I only experience it when I look at charts over 1 week of time.

alt text

Tags (2)
Preview file
29 KB
0 Karma
Reply

chimell
Motivator
‎05-27-2015 09:18 AM

Hi Norling80
Just copy and test this dashboard xml code 

<dashboard>
  <label>dashboard_name</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">true</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.overlayFields">dc_with_all_ActionTaken</option>
        <option name="charting.axisTitleY.text">dc_with_one_ActionTaken</option>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma
Reply

intelsubham
Explorer
‎05-27-2015 04:27 AM

It is possible that when you are running the search for longer duration, values for some rows in one of the searches is null which is resulting in gap.
try to include fillnull at the end of both searches and run again.

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) |fillnull value=0 | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)|fillnull value=0 ]

0 Karma
Reply

Norling80
Path Finder
‎06-01-2015 07:00 AM

I still have the same problem, at this point it seems to be a problem with the timestamp, I will look into it and update this thread.

0 Karma
Reply

MichaelPriest
Communicator
‎05-26-2015 03:15 AM

Have you got an example of the search or data?

0 Karma
Reply

Norling80
Path Finder
‎05-26-2015 11:21 PM

Here you go

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]

0 Karma
Reply

Arun_N_007
Communicator
‎05-27-2015 12:37 AM

Hi,

Could you please have a look into the table which generated this graph?

Check whether the values are in sync??

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...