Splunk Search

How to change the order of stacked area chart where the small area is on top?

fikristar
Explorer

I am very new to Splunk

I need to create a stacked bar/area chart where I have two separate searches. I'd like to show the small areas on top of the bigger area. Tried to use sort function but it did not work.

The search function that I use is something like this:

source="/xx/*.csv"  Field1<500 Field2 Field3="*"  
| timechart span=30m count(Field1) AS Latency_lower_than_500ms 
| appendcols [search source="/xx/*.csv"  Field1<500 Field2 Field3="*"  
| timechart span=30m count(Field1) AS Latency_greater_than_500ms]  
| sort -Field1

This always shows the bigger area (latency lower than 500ms) on the top but i want it on the 1st stack so that the small one is stacked on top of the bigger one.

Appreciate any suggestions and help.

Thank you!

1 Solution

lguinn2
Legend

I think that you are doing this the hard way. Try this

 source="/xx/*.csv"  Field3="*"  
 | eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
 | timechart span=30m count by latency

Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end

| table _time,"Less than 500 ms","500 ms or greater"

or

| table _time,"500 ms or greater","Less than 500 ms"

View solution in original post

0 Karma

j01am
Explorer

Hello!

I had this problem and I solved with this workaround.

First, I'm generating the timechart. But the stacked area are randomly ordered.

Then, I transpose column to row, to be able to add a column total, then sort, remove, and then, transpose back to obtain again the timechart, but ordered by amount of each HTTP_Code value.

index=* 
| timechart count(_raw) by HTTP_Code
| transpose 0 header_field=_time
| addtotals fieldname=total
| sort +total
| fields - total
| transpose 0 header_field=column
| rename column as _time

Did someone find an easier solution ?


0 Karma

lguinn2
Legend

I think that you are doing this the hard way. Try this

 source="/xx/*.csv"  Field3="*"  
 | eval latency=if(Field1<500,"Less than 500 ms","500 ms or greater")
 | timechart span=30m count by latency

Your original search goes through the data twice. If the order does not appear the way that you would like, add this to the end

| table _time,"Less than 500 ms","500 ms or greater"

or

| table _time,"500 ms or greater","Less than 500 ms"
0 Karma

fikristar
Explorer

Hi, Thank you for the suggestion to make a more efficient search.

My issue is actually I'd like to put the small part , in this case latency more than 500 ms on top of the "less than 500 ms" in a stacked area chart. What I have is the small part is on the bottom o stacked area instead on the top. How do I change the order of the this stacked area chart?

0 Karma

lguinn2
Legend

That is included in the answer above. Use the table command shown to change the order of the columns. This will also change the order of the stacks.

0 Karma

fikristar
Explorer

Thanks, I managed to get this working by simply changing the order.

Nevertheless, | table _time,"500 ms or greater","Less than 500 ms" did not give me the chart I expected. The time chart was not showing correctly when I added this command.

0 Karma

fikristar
Explorer

Hi Splunk experts, Is there any suggestion to overcome the issue that i am facing?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...