- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to show in a column chart the count for the top 5 destination hosts in proxy logs and above it a line of summed counts of all proxy logs.
So I need two panels in one.
My search for the column chart is the following:
index=proxy earliest=-1month@month latest=@month | timechart span=1w count by dest_host usenull=false limit=5
I also need to add the overall count line with the following search:
index=proxy earliest=-1month@month latest=@month | timechart count
How can I compare these two searches in one panel?
I know that this article https://answers.splunk.com/answers/9053/example-of-chart-overlay.html exists but I dont get along with the description.
Can anyone help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi igschloessl,
did you explored the possibility to use Chart Overlay?
You can see an exmple in Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
You could try something like this:
<form>
<label>Chart Overlay</label>
<description>Show limits and other data on one chart.</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label/>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Chart Overlay w/ Single Axis</title>
<search>
<query>
index=proxy earliest=-1month@month latest=@month
| timechart span=1w count by dest_host usenull=false limit=5
| addtotals
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.legend.placement">bottom</option>
<option name="charting.legend.masterLegend">null</option>
<option name="height">300</option>
<option name="charting.chart.overlayFields">total</option>
<option name="charting.fieldColors">{"count": 0x639BF1, "average":0xFF5A09}</option>
</chart>
</panel>
</row>
</form>
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi igschloessl,
did you explored the possibility to use Chart Overlay?
You can see an exmple in Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
You could try something like this:
<form>
<label>Chart Overlay</label>
<description>Show limits and other data on one chart.</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label/>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Chart Overlay w/ Single Axis</title>
<search>
<query>
index=proxy earliest=-1month@month latest=@month
| timechart span=1w count by dest_host usenull=false limit=5
| addtotals
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.legend.placement">bottom</option>
<option name="charting.legend.masterLegend">null</option>
<option name="height">300</option>
<option name="charting.chart.overlayFields">total</option>
<option name="charting.fieldColors">{"count": 0x639BF1, "average":0xFF5A09}</option>
</chart>
</panel>
</row>
</form>
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doenst make a line. What do I need to modify to get a line?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to to the following step
Click chart overlay and Click the text box and select Total field.
There was the wrong field selected.
Thank you very much.
