Splunk Search

How do I create a stacked bar chart?

lakromani
Builder

I have 3 servers: host=host1, host2, and host3
From these servers I get s_status=ok, nok

I would like to get a graph where I get number of ok from all three servers in one column with servers listed with different colors in the same column.

Eks (Selecting Column as display format)

s_status=ok | timechart count by s_status

This gives me each a column with the sum of all three servers (correct number, but missing the color of each server)

Then I try

s_status=ok | timechart count by host

This gives me the three servers side by side with different colors.

I want them stacked with each server in the same column, but different colors and size depending on the number of ok

Maybe I need to use chart instead of timechart, but I do not know how to put it together.

Tags (3)
1 Solution

pwmcity
Path Finder

When you're on the visualizations tag (you can see the graph), look for the formatting options, there's an option to stack there.
I'd say you're better to go with your first option though, that way you can have your 'ok's stacked as blue, and your 'nok's stacked as red.... which is more alarming to see than a gap in blue

View solution in original post

hgrow
Communicator

Hi lakromani,

there is a dropdown menu with some format options for your visualization.

If you click Format -> Genereal -> Stack Mode: stacked its might be what you are looking for.

Greetings

lakromani
Builder

You are correct, just as pwmcity implied to. Thanks.

0 Karma

tom_frotscher
Builder

Hi,

to get them stacked: Stacked is a format option of the column chart:

alt text

Is your search s_status=ok | timechart count by host in addition to the stacked option what you wanted? Or do you need something else?

Greetings Tom

lakromani
Builder

Thanks, just as pwmcity answered, but yours are more visual 🙂

0 Karma

pwmcity
Path Finder

When you're on the visualizations tag (you can see the graph), look for the formatting options, there's an option to stack there.
I'd say you're better to go with your first option though, that way you can have your 'ok's stacked as blue, and your 'nok's stacked as red.... which is more alarming to see than a gap in blue

lakromani
Builder

Thanks, so simple. I have overclocked the stack mode in Format tab ....

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...