Splunk Search

How to combine two charts?

gokool2u
Explorer

I have made two charts based on two different search queries. One is a column chart and another one is a line chart.But I would like to have these 2 charts(column chart and line graph) in the same chart. I want them to be as they are but in a single chart instead of two different charts. The line graph may overlap on the columnar chart.
Here are the queries of those two charts:

*Query 1: "index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year"

Query 2: "index=fin_mng |convert num("Other Expenses") as Other_Expenses | convert num("Travelling Expenses") as Travelling_Expenses | convert num("Employee Benefit Expenses") as Employee_Benefit_Expenses|convert num("Depreciation and Amortisation expense") as Depreciation_Amortisation_expense|convert num("Expenditure") as Expenditure| fillnull value=0|eval TotalExpenses= (Other_Expenses + Travelling_Expenses + Employee_Benefit_Expenses+Depreciation_Amortisation_expense+Expenditure)*(-1)| chart sum(TotalExpenses) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year"

I have attached the screenshot of those two charts I have made for reference.

alt text

alt text

0 Karma
1 Solution

sundareshr
Legend

Try this

index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Income" sum(TotalExpenses) as "Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year

Once you have the results add the "<>:Expenses" field as overlay fields. Here's more on how you can do that

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Chartcontrols#Chart_overlay_example_.28dual_ax...

View solution in original post

gokool2u
Explorer

Thank you so much Sundaresh. It worked like a charm...

0 Karma

sundareshr
Legend

Try this

index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Income" sum(TotalExpenses) as "Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year

Once you have the results add the "<>:Expenses" field as overlay fields. Here's more on how you can do that

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Chartcontrols#Chart_overlay_example_.28dual_ax...

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...