Splunk Search

Display 2 charts at the same timing alignment and with the same color of each series ?

Contributor

Hello,

I have a search like : total value of each transaction type for each business day

host="test1" sourcetype="ObjTransaction" | chart sum(TransactionValue) over BusinessDay by TransactionType

and another is number of events of each transaction type for each business day

host="test1" sourcetype="ObjTransaction" | chart count as number over BusinessDay by TransactionType

How can i display 2 colunm chars such that they have same vertical alignment basing on BusinessDay( time with unit is day) and have the same color for each TransactionType ?

For ex: In column chart of number of events of each business day,on the 10/12/2012: there are 2 transactions A and B

A has blue color and its number of events is 10, B has red color and its number of events is 20

In column chart of total value of each businessday, similarly, A, B have the same color as previous chart, means A in blue color with its value is 102$, et B in red color with its value = 80$

Tags (1)
0 Karma

Contributor

You can see clearly what are not lining up in 2 figures. The first is the Y axis' scale value and second is number of transaction types for each day, especially on 31/10/2012, there is no event 10 in the first figure. So how to fix X axis width for their vertical alignment, let transaction types be appearing similarly in 2 figures?

alt text

0 Karma

Influencer

Just tried this, provided the legends have the same text the colors should be the same in the 2 charts. The only alignment issues are because the widths of the text on the right hand side axis could be different ( which is easily remedied by moving the axis to the right )

The bigger problem would be having null values for some of the fields which would prevent the 'null columns being plotted, but you can work around this with something like :

chart sum(eval(if(isnotnull(TransactionValue),TransactionValue,0))) as TransactionValue over BusinessDay by TransactionType

Why aren't they lining up for you ?

0 Karma

Influencer

try doing chart limit=0 ... chart picks the top 10 by default, so if the top 10 are different in each graph, they wont match (some will be missing)

0 Karma

Contributor

It's good for their color in 2 figure as Splunk automatically detects them, but for alignment, you can see my extra added information with figures above

0 Karma

Splunk Employee
Splunk Employee

I'm not sure I understand you, but would:

host="test1" sourcetype="ObjTransaction"
| chart count as number, sum(TransactionValue) by BusinessDay,TransactionType

work for you?

0 Karma

Contributor

No, what i want is 2 column charts that have the same vertical alignment, so that i can see clearly how many event of one particular transaction type in one specific day, and its sum value corresponding.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!