Splunk Search

How to change the order of stacked area chart where the small area is on top?

fikristar
Explorer

I am very new to Splunk

I need to create a stacked bar/area chart where I have two separate searches. I'd like to show the small areas on top of the bigger area. Tried to use sort function but it did not work.

The search function that I use is something like this:

source="/xx/*.csv"  Field1<500 Field2 Field3="*"  
| timechart span=30m count(Field1) AS Latency_lower_than_500ms 
| appendcols [search source="/xx/*.csv"  Field1<500 Field2 Field3="*"  
| timechart span=30m count(Field1) AS Latency_greater_than_500ms]  
| sort -Field1

This always shows the bigger area (latency lower than 500ms) on the top but i want it on the 1st stack so that the small one is stacked on top of the bigger one.

Appreciate any suggestions and help.

Thank you!

1 Solution

lguinn2
Legend

I think that you are doing this the hard way. Try this

 source="/xx/*.csv"  Field3="*"  
 | eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
 | timechart span=30m count by latency

Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end

| table _time,"Less than 500 ms","500 ms or greater"

or

| table _time,"500 ms or greater","Less than 500 ms"

View solution in original post

0 Karma

lguinn2
Legend

I think that you are doing this the hard way. Try this

 source="/xx/*.csv"  Field3="*"  
 | eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
 | timechart span=30m count by latency

Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end

| table _time,"Less than 500 ms","500 ms or greater"

or

| table _time,"500 ms or greater","Less than 500 ms"
0 Karma

fikristar
Explorer

Hi, Thank you for the suggestion to make a more efficient search.

My issue is actually I'd like to put the small part , in this case latency more than 500 ms on top of the "less than 500 ms" in a stacked area chart. What I have is the small part is on the bottom o stacked area instead on the top. How do I change the order of the this stacked area chart?

0 Karma

lguinn2
Legend

That is included in the answer above. Use the table command shown to change the order of the columns. This will also change the order of the stacks.

0 Karma

fikristar
Explorer

Thanks, I managed to get this working by simply changing the order.

Nevertheless, | table _time,"500 ms or greater","Less than 500 ms" did not give me the chart I expected. The time chart was not showing correctly when I added this command.

0 Karma

fikristar
Explorer

Hi Splunk experts, Is there any suggestion to overcome the issue that i am facing?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>