Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make a chart overlay

vino06
New Member
‎05-24-2017 11:57 PM

I'm trying to make a graph using a chart overlay, scenario is I want to put all the transactions with minutes to the left and right for all transactions that are in count. Please see my search below and the graph.

index="appdynamics" source="metrics.log" sourcetype="metrics" name=RDYWPD01-TomcatA:ServiceProxy:PortalProd:VerySlowCalls OR name=RDYWPD01-TomcatA:ServiceProxy:PortalProd:CallsPerMin OR name=RDYWPD01-TomcatA:ServiceProxy:PortalProd:ErrorsPerMin OR name=RDYWPD01-TomcatA:ServiceProxy:PortalProd:StallCount OR name=RDYWPD01:TomcatA:PortalProd:AveResponseTime
| timechart span=1d avg(value) by name
| rename RDYWPD01-TomcatA:ServiceProxy:PortalProd:VerySlowCalls as "Very Slow Calls", RDYWPD01-TomcatA:ServiceProxy:PortalProd:CallsPerMin as "Calls per minute", RDYWPD01-TomcatA:ServiceProxy:PortalProd:ErrorsPerMin as "Error per minute", RDYWPD01-TomcatA:ServiceProxy:PortalProd:StallCount as "Stall Counts", RDYWPD01:TomcatA:PortalProd:AveResponseTime as "Average Response Time (ms)"][1]

Preview file
29 KB
0 Karma
Reply

niketn
Legend
‎05-25-2017 04:54 AM

@vino06... While you want to overlay Time fields over Count fields, your time fields are both in minute and millisecons. Based on the output, you might have to change the unit.

    <option name="charting.axisTitleY.text">Count</option>
    <option name="charting.axisTitleY2.text">Time</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.overlayFields">"Calls per minute", "Error per minute","Average Response Time (ms)"</option>
    <option name="charting.chart.nullValueMode">zero</option>

PS: Based on the screenshot, you also might want to set the Null Value Mode to zero or connected which is currently gap. All these settings are directly accessible fromEdit > Format visualization in UI (if you want to avoid changing via Simple XML)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmerriman
Super Champion
‎05-25-2017 05:06 AM

this question was asked earlier. https://answers.splunk.com/answers/542628/chart-overlay-1.html for reference.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-25-2017 04:37 AM

HI @vino06,
First, create overlay field in the search.

//for example if overlay=100

YOUR SEARCH | eval overlay=100

Second, add charting.chart.overlayFields option in chart xml.

<option name="charting.chart.overlayFields">overlay</option>

I hope it's helpful to you.

Thanks

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...