Splunk Search

Display 2 charts at the same timing alignment and with the same color of each series ?

sieutruc
Contributor

Hello,

I have a search like : total value of each transaction type for each business day

host="test1" sourcetype="ObjTransaction" | chart sum(TransactionValue) over BusinessDay by TransactionType

and another is number of events of each transaction type for each business day

host="test1" sourcetype="ObjTransaction" | chart count as number over BusinessDay by TransactionType

How can i display 2 colunm chars such that they have same vertical alignment basing on BusinessDay( time with unit is day) and have the same color for each TransactionType ?

For ex: In column chart of number of events of each business day,on the 10/12/2012: there are 2 transactions A and B

A has blue color and its number of events is 10, B has red color and its number of events is 20

In column chart of total value of each businessday, similarly, A, B have the same color as previous chart, means A in blue color with its value is 102$, et B in red color with its value = 80$

Tags (1)
0 Karma

sieutruc
Contributor

You can see clearly what are not lining up in 2 figures. The first is the Y axis' scale value and second is number of transaction types for each day, especially on 31/10/2012, there is no event 10 in the first figure. So how to fix X axis width for their vertical alignment, let transaction types be appearing similarly in 2 figures?

alt text

0 Karma

jonuwz
Influencer

Just tried this, provided the legends have the same text the colors should be the same in the 2 charts. The only alignment issues are because the widths of the text on the right hand side axis could be different ( which is easily remedied by moving the axis to the right )

The bigger problem would be having null values for some of the fields which would prevent the 'null columns being plotted, but you can work around this with something like :

chart sum(eval(if(isnotnull(TransactionValue),TransactionValue,0))) as TransactionValue over BusinessDay by TransactionType

Why aren't they lining up for you ?

0 Karma

jonuwz
Influencer

try doing chart limit=0 ... chart picks the top 10 by default, so if the top 10 are different in each graph, they wont match (some will be missing)

0 Karma

sieutruc
Contributor

It's good for their color in 2 figure as Splunk automatically detects them, but for alignment, you can see my extra added information with figures above

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I'm not sure I understand you, but would:

host="test1" sourcetype="ObjTransaction"
| chart count as number, sum(TransactionValue) by BusinessDay,TransactionType

work for you?

0 Karma

sieutruc
Contributor

No, what i want is 2 column charts that have the same vertical alignment, so that i can see clearly how many event of one particular transaction type in one specific day, and its sum value corresponding.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...