Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare Column Chart with Line Chart?

igschloessl
Explorer
‎11-05-2019 06:22 AM

I need to show in a column chart the count for the top 5 destination hosts in proxy logs and above it a line of summed counts of all proxy logs.
So I need two panels in one.

My search for the column chart is the following:

index=proxy earliest=-1month@month latest=@month | timechart span=1w count by dest_host usenull=false limit=5

I also need to add the overall count line with the following search:
index=proxy earliest=-1month@month latest=@month | timechart count

How can I compare these two searches in one panel?

I know that this article https://answers.splunk.com/answers/9053/example-of-chart-overlay.html exists but I dont get along with the description.

Can anyone help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 07:27 AM

Hi igschloessl,
did you explored the possibility to use Chart Overlay?
You can see an exmple in Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

You could try something like this:

<form>
    <label>Chart Overlay</label>
    <description>Show limits and other data on one chart.</description>
    <fieldset autoRun="true" submitButton="false">
        <input type="time" token="time" searchWhenChanged="true">
            <label/>
            <default>
                <earliest>-60m@m</earliest>
                <latest>now</latest>
            </default>
        </input>
    </fieldset>
    <row>
        <panel>
            <chart>
                <title>Chart Overlay w/ Single Axis</title>
                <search>
                    <query>
                        index=proxy earliest=-1month@month latest=@month 
                       | timechart span=1w count by dest_host usenull=false limit=5
                       | addtotals
                    </query>
                    <earliest>$time.earliest$</earliest>
                    <latest>$time.latest$</latest>
                </search>
                <option name="charting.legend.placement">bottom</option>
                <option name="charting.legend.masterLegend">null</option>
                <option name="height">300</option>
                <option name="charting.chart.overlayFields">total</option>
                <option name="charting.fieldColors">{"count": 0x639BF1, "average":0xFF5A09}</option>
            </chart>
        </panel>
    </row>
</form>

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 07:27 AM

Hi igschloessl,
did you explored the possibility to use Chart Overlay?
You can see an exmple in Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

You could try something like this:

<form>
    <label>Chart Overlay</label>
    <description>Show limits and other data on one chart.</description>
    <fieldset autoRun="true" submitButton="false">
        <input type="time" token="time" searchWhenChanged="true">
            <label/>
            <default>
                <earliest>-60m@m</earliest>
                <latest>now</latest>
            </default>
        </input>
    </fieldset>
    <row>
        <panel>
            <chart>
                <title>Chart Overlay w/ Single Axis</title>
                <search>
                    <query>
                        index=proxy earliest=-1month@month latest=@month 
                       | timechart span=1w count by dest_host usenull=false limit=5
                       | addtotals
                    </query>
                    <earliest>$time.earliest$</earliest>
                    <latest>$time.latest$</latest>
                </search>
                <option name="charting.legend.placement">bottom</option>
                <option name="charting.legend.masterLegend">null</option>
                <option name="height">300</option>
                <option name="charting.chart.overlayFields">total</option>
                <option name="charting.fieldColors">{"count": 0x639BF1, "average":0xFF5A09}</option>
            </chart>
        </panel>
    </row>
</form>

Ciao.
Giuseppe

Reply
Solved! Jump to solution

igschloessl
Explorer
‎11-06-2019 03:13 AM

It doenst make a line. What do I need to modify to get a line?

0 Karma
Reply
Solved! Jump to solution

igschloessl
Explorer
‎11-06-2019 03:29 AM

I had to to the following step
Click chart overlay and Click the text box and select Total field.
There was the wrong field selected.

Thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...