Splunk Search

How to overlap two bars in a Splunk chart?

luna23
Explorer

I have this search that counts the times a product has been purchased and the times the same product has been purchased with some other product, in this case product m.
I want to overlap the TotalEvents upon the TotalMatchs, but the option of stacked bars is just adding up the 2 fields.

Can someone help me please?

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos]|table Productos  TotalMatch TotalEvents

alt text

0 Karma
1 Solution

DMohn
Motivator

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents

View solution in original post

0 Karma

DMohn
Motivator

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents
0 Karma

luna23
Explorer

Thanks DMohn,as you said it, the calculations will be wrong, although the chart will look good.
But what i am trying to do here is a market basket analisys, so i need to show the correct times a product has been purchased (TotalEvents) and the times a product has been purchased with other product (TotalMatch)

0 Karma

DMohn
Motivator

Where shall these numbers be used? Is there a chance to include a table and a visualisation?

In this case you can introduce a temporary field like eval DisplayTotalEvents = TotalEvents - TotalMatch for the bar chart, and use the correct total fields for the table...

0 Karma

luna23
Explorer

It could be an option, Thanks

0 Karma

sundareshr
Legend

Try area chart?

0 Karma

luna23
Explorer

I already tried the area chart and it does overlap, but i want the same result in a bar chart

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...