Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine graphs with different left and right axes?

mhtedford
Communicator
‎07-24-2017 09:36 AM

I have two graphs. The first shows the number of survey responses by week:
alt text

Here is the search:

index=webex_sentiment 
| eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
| eval YearWeek=strftime(surveyDate,"%Y-%U") 
| chart  count(Rating) as NumberRatings by YearWeek

The second shows the percentage of negative survey responses by week:
alt text

Here is the search:

index=webex_sentiment 
| eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
| eval YearWeek=strftime(surveyDate,"%Y-%U") 
| stats  count(Rating) as NumberRatings by YearWeek Rating  
| eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
| eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
| where  Rating=1 OR Rating=2  
| chart  sum(PercentageRatings) as NegativeSentiment by YearWeek

I want to combine these into a single graph, with number of surveys on the left axis and percentage of negative sentiment on the right axis.

Preview file
18 KB
Preview file
16 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-24-2017 10:41 AM

try something like this and go into Format>Chart Overlay and grab the NegativeSentiment or TotalRatings as the overlay:

 index=webex_sentiment 
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
 | eval YearWeek=strftime(surveyDate,"%Y-%U") 
 | stats  count(Rating) as NumberRatings by YearWeek Rating  
 | eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
 | eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
 | where  Rating=1 OR Rating=2  
 | stats  sum(PercentageRatings) as NegativeSentiment max(TotalRatings) as TotalRatings by YearWeek

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-24-2017 10:41 AM

try something like this and go into Format>Chart Overlay and grab the NegativeSentiment or TotalRatings as the overlay:

 index=webex_sentiment 
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
 | eval YearWeek=strftime(surveyDate,"%Y-%U") 
 | stats  count(Rating) as NumberRatings by YearWeek Rating  
 | eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
 | eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
 | where  Rating=1 OR Rating=2  
 | stats  sum(PercentageRatings) as NegativeSentiment max(TotalRatings) as TotalRatings by YearWeek
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:47 AM

That's exactly what I was looking for! Thanks so much.

Here is the final product: http://imgur.com/a/ERVTQ

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-24-2017 10:32 AM

@mhtedford, your queries are the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:36 AM

I updated the post, perhaps the edit hasn't gone through yet...

http://imgur.com/a/EbwTK

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-24-2017 10:23 AM

the two searches you've given are exactly the same. what is supposed to be the difference between them?

0 Karma
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:28 AM

Fixed @cmerriman

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...