Splunk Search

How to overlap two bars in a Splunk chart?

luna23
Explorer

I have this search that counts the times a product has been purchased and the times the same product has been purchased with some other product, in this case product m.
I want to overlap the TotalEvents upon the TotalMatchs, but the option of stacked bars is just adding up the 2 fields.

Can someone help me please?

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos]|table Productos  TotalMatch TotalEvents

alt text

0 Karma
1 Solution

DMohn
Motivator

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents

View solution in original post

0 Karma

DMohn
Motivator

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents
0 Karma

luna23
Explorer

Thanks DMohn,as you said it, the calculations will be wrong, although the chart will look good.
But what i am trying to do here is a market basket analisys, so i need to show the correct times a product has been purchased (TotalEvents) and the times a product has been purchased with other product (TotalMatch)

0 Karma

DMohn
Motivator

Where shall these numbers be used? Is there a chance to include a table and a visualisation?

In this case you can introduce a temporary field like eval DisplayTotalEvents = TotalEvents - TotalMatch for the bar chart, and use the correct total fields for the table...

0 Karma

luna23
Explorer

It could be an option, Thanks

0 Karma

sundareshr
Legend

Try area chart?

0 Karma

luna23
Explorer

I already tried the area chart and it does overlap, but i want the same result in a bar chart

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...