Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine graphs with different left and right axes?

mhtedford
Communicator
‎07-24-2017 09:36 AM

I have two graphs. The first shows the number of survey responses by week:
alt text

Here is the search:

index=webex_sentiment 
| eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
| eval YearWeek=strftime(surveyDate,"%Y-%U") 
| chart  count(Rating) as NumberRatings by YearWeek

The second shows the percentage of negative survey responses by week:
alt text

Here is the search:

index=webex_sentiment 
| eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
| eval YearWeek=strftime(surveyDate,"%Y-%U") 
| stats  count(Rating) as NumberRatings by YearWeek Rating  
| eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
| eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
| where  Rating=1 OR Rating=2  
| chart  sum(PercentageRatings) as NegativeSentiment by YearWeek

I want to combine these into a single graph, with number of surveys on the left axis and percentage of negative sentiment on the right axis.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-24-2017 10:41 AM

try something like this and go into Format>Chart Overlay and grab the NegativeSentiment or TotalRatings as the overlay:

 index=webex_sentiment 
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
 | eval YearWeek=strftime(surveyDate,"%Y-%U") 
 | stats  count(Rating) as NumberRatings by YearWeek Rating  
 | eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
 | eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
 | where  Rating=1 OR Rating=2  
 | stats  sum(PercentageRatings) as NegativeSentiment max(TotalRatings) as TotalRatings by YearWeek

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-24-2017 10:41 AM

try something like this and go into Format>Chart Overlay and grab the NegativeSentiment or TotalRatings as the overlay:

 index=webex_sentiment 
 | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") 
 | eval YearWeek=strftime(surveyDate,"%Y-%U") 
 | stats  count(Rating) as NumberRatings by YearWeek Rating  
 | eventstats  sum(NumberRatings) as TotalRatings by YearWeek 
 | eval  PercentageRatings=round(NumberRatings/TotalRatings,3)  
 | where  Rating=1 OR Rating=2  
 | stats  sum(PercentageRatings) as NegativeSentiment max(TotalRatings) as TotalRatings by YearWeek
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:47 AM

That's exactly what I was looking for! Thanks so much.

Here is the final product: http://imgur.com/a/ERVTQ

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-24-2017 10:32 AM

@mhtedford, your queries are the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:36 AM

I updated the post, perhaps the edit hasn't gone through yet...

http://imgur.com/a/EbwTK

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-24-2017 10:23 AM

the two searches you've given are exactly the same. what is supposed to be the difference between them?

0 Karma
Reply
Solved! Jump to solution

mhtedford
Communicator
‎07-24-2017 10:28 AM

Fixed @cmerriman

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...