Splunk Search

Chart overlay graphs not in sync

Norling80
Path Finder

Hey guys, does anyone of you know why this happens when on dashboard with chart overlay elements? I only experience it when I look at charts over 1 week of time.

alt text

Tags (2)
0 Karma

chimell
Motivator

Hi Norling80
Just copy and test this dashboard xml code

<dashboard>
  <label>dashboard_name</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">true</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.overlayFields">dc_with_all_ActionTaken</option>
        <option name="charting.axisTitleY.text">dc_with_one_ActionTaken</option>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma

intelsubham
Explorer

It is possible that when you are running the search for longer duration, values for some rows in one of the searches is null which is resulting in gap.
try to include fillnull at the end of both searches and run again.

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) |fillnull value=0 | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)|fillnull value=0 ]

0 Karma

Norling80
Path Finder

I still have the same problem, at this point it seems to be a problem with the timestamp, I will look into it and update this thread.

0 Karma

MichaelPriest
Communicator

Have you got an example of the search or data?

0 Karma

Norling80
Path Finder

Here you go

index=main sourcetype="playerdata" | timechart span=1h dc(PlayerId) | appendcols [search index=main sourcetype="playerdata" ActionTaken=observe | timechart span=1h dc(PlayerId)]

0 Karma

Arun_N_007
Communicator

Hi,

Could you please have a look into the table which generated this graph?

Check whether the values are in sync??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...