All,

I'm trying to implement overlays for the dashboard panel I am working on. I want the exactly the same chart as is described in this question http://answers.splunk.com/answers/81701/chart-overlay-and-different-graph-type.

Unfortunately, I can't seem to get Splunk to recognize chart2. It just takes all the display details from the first chart and ignores chart2 completely. Moreover, it doesn't respect the columns property (instead, it just applies the styling to all columns returned from a search).

Does anyone know why this might be? My search returns the exact same format as the example in the link I sent. Below is XML to display the chart overlay:

<form>
  <row>
    <chart>
      <title>Elapsed times per hour</title>
      <searchString>sourcetype=perfLogging browserElapsed!="None" roundTripElapsed!="None" networkElapsed!="None" serverElapsed!="None" dbName=$dbName$ event=$event$ | eval browserElapsed=(browserElapsed/1000)  | eval networkElapsed=(networkElapsed/1000)  | eval serverElapsed=(serverElapsed/1000)  | timechart span=1h avg(browserElapsed) as browserElapsed avg(networkElapsed) as networkElapsed avg(serverElapsed) as serverElapsed count as count</searchString>
      <earliestTime>$earliest$</earliestTime>
      <latestTime>$latest$</latestTime>

      <!-- set up alternative palatte for stacked chart, transparancy makes the line chart more visible -->
      <option name="charting.transparentBrushPalette">solidFill</option>
      <option name="charting.transparentBrushPalette.colorPalette">@colorPalette</option>
      <option name="charting.transparentBrushPalette.alpha">0.7</option>

      <!-- set chart to use columns 0,1,2,3 where @data is the original search, and 0 is the time-->
      <option name="charting.data1">view</option>
      <option name="charting.data1.table">@data</option>
      <option name="charting.data1.columns">[0,1,2,3]</option>
      <option name="charting.chart.data">@data1</option>

      <!-- set chart2 to use columns 0,4, where 0 is time, 4 is the count -->
      <option name="charting.data2">view</option>
      <option name="charting.data2.table">@data</option>
      <option name="charting.data2.columns">[0,4]</option>
      <option name="charting.chart2.data">@data2</option>

      <!-- splunk doesnt suppory 2 Y axis, so we have to clone -->
      <option name="charting.axisY2">#axisY</option>

      <!-- clone the Yaxis into axisY2 -->
      <option name="charting.axisLabelsY2">#axisLabelsY</option>

      <!-- clone the Yaxis Labels -->
      <option name="charting.axisLabelsY2.axis">@axisY2</option>

      <!-- associate the new Y2 axis-labels with the Y2 axis -->
      <!--create the 1st chart -->
      <option name="charting.chart">column</option>
      <option name="charting.chart.columnBrushPalette">@transparentBrushPalette</option>
      <option name="charting.chart.stackMode">stacked</option>
      <option name="charting.chart.useAbsoluteSpacing">True</option>
      <option name="charting.chart.columnSpacing">20</option>
      <option name="charting.chart.columnAlignment">.5</option>
      <option name="charting.axisTitleY.text">Time</option>
      <option name="charting.axisLabelsY.placement">left</option>

      <!--create the 2nd chart -->
      <option name="charting.chart2">line</option>
      <option name="charting.chart2.nullValueMode">zero</option>
      <option name="charting.chart2.axisY">@axisY2</option>

      <!-- the Yaxis of chart 2 is a link to charting.axisY2 -->
      <option name="charting.axisTitleY2">axisTitle</option>
      <option name="charting.axisTitleY2.text">Count</option>
      <option name="charting.axisLabelsY2.placement">right</option>

      <!-- throw the structure to layout -->
      <option name="charting.layout.charts">[@chart,@chart2]</option>
      <option name="charting.layout.axisLabels">[@axisLabelsX,@axisLabelsY,@axisLabelsY2]</option>
      <option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY,@axisTitleY2]</option>

      <!--<earliestTime>$earliest$</earliestTime>
      <latestTime>$latest$</latestTime>
      <option name="charting.axisTitleX.visibility">visible</option>
      <option name="charting.axisTitleY.visibility">visible</option>
      <option name="charting.axisX.scale">linear</option>
      <option name="charting.axisY.scale">linear</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
      <option name="charting.chart.stackMode">stacked</option>
      <option name="charting.chart.style">shiny</option>
      <option name="charting.drilldown">all</option>
      <option name="charting.layout.splitSeries">0</option>
      <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
      <option name="charting.legend.placement">right</option>
      <drilldown target="New Dashboard">
        <link>
          <![CDATA[
            /app/search/drilldown_for_event?form.dbName=$dbName$&form.event=$event$&form.elapsedType="$click.name2$"
          ]]>
        </link>
      </drilldown>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>-->
    </chart>
  </row>
</form>

As you can probably tell from the searchString, the return from the search is identical to the return for the search in the linked question. Does anyone know why I wouldn't be getting at least some form of an overlay? Why is Splunk only respecting the first chart? Is this feature deprecated in Splunk 6? Any insight would be greatly appreciated.