I have two questions.
1.Is it possible to Stack and unstack in a single column chart?
in the below chart the line on top of each bar is the total per stacked column, I want to have the total column first and then the stacked (split-up of total) next.
Problem: Since i am not able to do the same i had to add total as overlay
2. How can i show in tooltip value of a column apart form the value chart shows by default in tooltip
Lets assume i have TotalParts and TotalPartsRunTime, if i plot chart by TotalPartsRunTime then i can see the label TotalPartsRunTime: value for each column/stacked column in tooltip. Along with that i also wanted to show TotalParts: value
Problem: When i add TotalParts in result then it is stacked as part of the already stacked column and creates a separate legend for the same, what i wanted to do is just show the TotalParts count in tooltip
e.g scenario
Application: ABC
val_2_B is the total time taken to process
val_4: is the total count of val_2_B items that was processed [expected to show in tooltip and same should not be plotted in chart]
Please let me know if i am not clear
| makeresults
| eval application="FSD", val_1="A", val_2=4839, val_3=5000, val_4=1000
| append
[| makeresults
| eval application="ABC", val_1="B", val_2=1000, val_3=3215,val_4=2000]
| append
[| makeresults
| eval application="ABC", val_1="E", val_2=478, val_3=4328,val_4=3000]
| table application val_1 val_2 val_3 val_4
| sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
[| eval name="copy_<<FIELD>> ".mvindex(val_1,count-1)
| eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*
In case this is what you want:
| makeresults
| eval application="FSD", val_1="A", val_2=4839, val_3=5000, val_4=1000
| append
[| makeresults
| eval application="ABC", val_1="B", val_2=1000, val_3=3215,val_4=2000]
| append
[| makeresults
| eval application="ABC", val_1="E", val_2=478, val_3=4328,val_4=3000]
| table application val_1 val_2 val_3 val_4
| sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
[| eval name="copy_<<FIELD>>_".mvindex(val_1,count-1)
| eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*
| addtotals | addtotals col=t Total
| fillnull application value="000" | eval Total=if(application="000", Total, null())
| sort application | eval application=if(application="000", "Total", application)
No because of existing data issue.
ISSUE:
1.Total is a split of 5 values but we don't have value of one of the split value.
e.g what we have is Total=10, Split1=1 Split2=3 Split3=4. Split value 2 is missing. So we show total first as a column and then split values as stacked column the height diff between total and stacked column is the missing value
e.g current elk viz we are replicating in splunk
