Splunk Search

Column Chart - unstack and stack in one chart. Show a column value as tooltip

rajg369
Explorer

I have two questions.

1.Is it possible to Stack and unstack in a single column chart?
in the below chart the line on top of each bar is the total per stacked column, I want to have the total column first and then the stacked (split-up of total) next.

Problem: Since i am not able to do the same i had to add total as overlay 
SC1.PNG
2. How can i show in tooltip  value of a column apart form the value chart shows by default in tooltip
     Lets assume i have TotalParts and TotalPartsRunTime, if i plot chart by TotalPartsRunTime then i can see the label TotalPartsRunTime: value for each column/stacked column in tooltip. Along with that i also wanted to show TotalParts: value

Problem: When i add TotalParts in result then it is stacked as part of the already stacked column and creates a separate legend for the same, what i wanted to do is just show the TotalParts count in tooltip
SC4.jpg

e.g scenario
Application: ABC
val_2_B is the total time taken to process
val_4: is the total count of val_2_B items that was processed  [expected to show in tooltip and same should not be plotted in chart]

Please let me know if i am not clear

| makeresults
| eval application="FSD", val_1="A", val_2=4839, val_3=5000, val_4=1000
| append
[| makeresults
| eval application="ABC", val_1="B", val_2=1000, val_3=3215,val_4=2000]
| append
[| makeresults
| eval application="ABC", val_1="E", val_2=478, val_3=4328,val_4=3000]
| table application val_1 val_2 val_3 val_4
| sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
[| eval name="copy_<<FIELD>> ".mvindex(val_1,count-1)
| eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*

Labels (2)
0 Karma

VatsalJagani
Super Champion

In case this is what you want:

| makeresults
| eval application="FSD", val_1="A", val_2=4839, val_3=5000, val_4=1000
| append
[| makeresults
| eval application="ABC", val_1="B", val_2=1000, val_3=3215,val_4=2000]
| append
[| makeresults
| eval application="ABC", val_1="E", val_2=478, val_3=4328,val_4=3000]
| table application val_1 val_2 val_3 val_4
| sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
[| eval name="copy_<<FIELD>>_".mvindex(val_1,count-1)
| eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*

| addtotals | addtotals col=t Total 
| fillnull application value="000" | eval Total=if(application="000", Total, null())
| sort application | eval application=if(application="000", "Total", application)

VatsalJagani_0-1640938234029.png

 

0 Karma

rajg369
Explorer

Hi VatsalJagani,

Thanks for your reply. I need Total before each stacked column. Not 1 total for all stacked columns. Can you pleas help?

e.g. Total before ABC stacked column and Total before FSD stacked column

Thanks
Rajesh

0 Karma

VatsalJagani
Super Champion

try using chart-overlay (select the chart-type as stacked column and add select the field of the total count as chart-overlay, that will be displayed as a line) in the chart options.

0 Karma

rajg369
Explorer

Hi VatsalJagani,

I have already done chart overlay for total, I have mentioned the same In my post. The question was
Is it possible to Stack and unstack in a single column chart? So total is first bar (unstacked) and what comes next will be stacked bar (split up of total)

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not possible to achieve what you want in a standard column chart.

0 Karma

rajg369
Explorer

No because of existing data issue. 

ISSUE:
1.Total is a split of 5 values but we don't have value of one of the split value.

e.g what we have is Total=10, Split1=1 Split2=3 Split3=4. Split value 2 is missing. So we show total first as a column and then split values as stacked column the height diff between total and stacked column is the missing value

e.g current elk viz we are replicating in splunk

SC1.PNG

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...