Splunk Search

Column chart with overlapping stacks

ohlafl
Communicator

I have a chart that lists the average CPU load of an environment over time by x nodes and want to save GUI space by stacking the columns on top of eachother. Since the y-axis is displaying the load percentage I need all stacks to begin at y=0 and that the stack with the lowest y-axis range is placed in front of the second one and so on.

I know that I could do a stacking like this by subtracting the y-axis length of the lower stacks but it seems too complicated and it would not give the proper value when hoovering on the stack.

Does anyone have any ideas on how to create a simple solution or if this exists natively within Splunk?

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

I think the closest you will get with the native Splunk visualizations is the Area chart option. This will stack the different servers in front of each other. It's no column chart, but it would get the job done. The scale on Y-axis would use the same scale for each server, so you can compare the servers against each other, even though they are connected visually.

<your_search> | timechart span=1d avg(CPULoadPercentage) as "CPU Load" by host

And then switch the Viz to Area.

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

I think the closest you will get with the native Splunk visualizations is the Area chart option. This will stack the different servers in front of each other. It's no column chart, but it would get the job done. The scale on Y-axis would use the same scale for each server, so you can compare the servers against each other, even though they are connected visually.

<your_search> | timechart span=1d avg(CPULoadPercentage) as "CPU Load" by host

And then switch the Viz to Area.

ohlafl
Communicator

Thank you, I guess this will have to do for now although I would like to see Splunk (natively) supporting something similar with column charts.

0 Karma

woodcock
Esteemed Legend

If you use a stacked column chart, Splunk does this for you, but you have to format your search (output) correctly for this. Have you attempted to do this?

ohlafl
Communicator

That's what I am using and currently populating by ... chart avg(CPULoadPercentage) as "CPU Load" over date by host ... which just "concatenates" the stacks. How should I format it?

0 Karma

woodcock
Esteemed Legend

That should do it (depending on what is creating date and how it is doing it). So your default visualization will be an unstacked column chart with side-by-side values. Click on the Format control (with the little paint brush icon) and under the General tab, play around with the Stack Mode and Multi-Series Mode control options. I believe that you are looking for the middle icon which is called stacked.

ohlafl
Communicator

Hm, yes well that is one solution but it was not really what I was looking for, I'll show you with this (ugly) picture:

alt text

0 Karma

woodcock
Esteemed Legend

OK, so you would like it overlayed, not stacked, and in such a way that the tallest is in the back so that you can always see all of them. This is an interesting visualization that Splunk should add. Did you try the Multi-Series Mode which I also mentioned? You will probably like it better and it is the only other option with the built-in XML visualizations.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...