Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to combine two charts?

gokool2u
Explorer
‎09-21-2016 02:55 AM

I have made two charts based on two different search queries. One is a column chart and another one is a line chart.But I would like to have these 2 charts(column chart and line graph) in the same chart. I want them to be as they are but in a single chart instead of two different charts. The line graph may overlap on the columnar chart.
Here are the queries of those two charts:

*Query 1: "index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year"

Query 2: "index=fin_mng |convert num("Other Expenses") as Other_Expenses | convert num("Travelling Expenses") as Travelling_Expenses | convert num("Employee Benefit Expenses") as Employee_Benefit_Expenses|convert num("Depreciation and Amortisation expense") as Depreciation_Amortisation_expense|convert num("Expenditure") as Expenditure| fillnull value=0|eval TotalExpenses= (Other_Expenses + Travelling_Expenses + Employee_Benefit_Expenses+Depreciation_Amortisation_expense+Expenditure)*(-1)| chart sum(TotalExpenses) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year"

I have attached the screenshot of those two charts I have made for reference.

alt text

alt text

Preview file
30 KB
Preview file
31 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-21-2016 05:41 AM

Try this

index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Income" sum(TotalExpenses) as "Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year

Once you have the results add the "<>:Expenses" field as overlay fields. Here's more on how you can do that

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Chartcontrols#Chart_overlay_example_.28dual_ax...

View solution in original post

Reply
Solved! Jump to solution

gokool2u
Explorer
‎09-22-2016 02:57 AM

Thank you so much Sundaresh. It worked like a charm...

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-21-2016 05:41 AM

Try this

index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Income" sum(TotalExpenses) as "Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year

Once you have the results add the "<>:Expenses" field as overlay fields. Here's more on how you can do that

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Chartcontrols#Chart_overlay_example_.28dual_ax...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...