I am very new to Splunk
I need to create a stacked bar/area chart where I have two separate searches. I'd like to show the small areas on top of the bigger area. Tried to use sort
function but it did not work.
The search function that I use is something like this:
source="/xx/*.csv" Field1<500 Field2 Field3="*"
| timechart span=30m count(Field1) AS Latency_lower_than_500ms
| appendcols [search source="/xx/*.csv" Field1<500 Field2 Field3="*"
| timechart span=30m count(Field1) AS Latency_greater_than_500ms]
| sort -Field1
This always shows the bigger area (latency lower than 500ms) on the top but i want it on the 1st stack so that the small one is stacked on top of the bigger one.
Appreciate any suggestions and help.
Thank you!
I think that you are doing this the hard way. Try this
source="/xx/*.csv" Field3="*"
| eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
| timechart span=30m count by latency
Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end
| table _time,"Less than 500 ms","500 ms or greater"
or
| table _time,"500 ms or greater","Less than 500 ms"
Hello!
I had this problem and I solved with this workaround.
First, I'm generating the timechart. But the stacked area are randomly ordered.
Then, I transpose column to row, to be able to add a column total, then sort, remove, and then, transpose back to obtain again the timechart, but ordered by amount of each HTTP_Code value.
index=*
| timechart count(_raw) by HTTP_Code
| transpose 0 header_field=_time
| addtotals fieldname=total
| sort +total
| fields - total
| transpose 0 header_field=column
| rename column as _time
Did someone find an easier solution ?
I think that you are doing this the hard way. Try this
source="/xx/*.csv" Field3="*"
| eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
| timechart span=30m count by latency
Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end
| table _time,"Less than 500 ms","500 ms or greater"
or
| table _time,"500 ms or greater","Less than 500 ms"
Hi, Thank you for the suggestion to make a more efficient search.
My issue is actually I'd like to put the small part , in this case latency more than 500 ms on top of the "less than 500 ms" in a stacked area chart. What I have is the small part is on the bottom o stacked area instead on the top. How do I change the order of the this stacked area chart?
That is included in the answer above. Use the table command shown to change the order of the columns. This will also change the order of the stacks.
Thanks, I managed to get this working by simply changing the order.
Nevertheless, | table _time,"500 ms or greater","Less than 500 ms" did not give me the chart I expected. The time chart was not showing correctly when I added this command.
Hi Splunk experts, Is there any suggestion to overcome the issue that i am facing?