Splunk Search

How to overlay 2 searches to generate linechart and area chart?

mmouse88
Path Finder

Using 6.1, I would like to create a horizontal line with area chart. I have read so many examples and my search command has produce very close result. Only thing missing is to show by sourcetype limit=n (number). Here's my command:

index=name | bin _time span=15m | eventstats max(total_capacity) as Available | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

Right now it shows the horizontal line which is available and under is the area chart which is current_usage. very close to what i want.

I would like to some how show current_usage is a sourcetype. example: by sourcetype limit=n (number). Instead solid area chart, it has a breakdown what the sourcetype is. sourcetype = powertools (hammer, wrench, screwdriver, etc).

Thanks.

0 Karma
1 Solution

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

View solution in original post

0 Karma

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm not quite sure if I understand your question correctly, are you trying to split the area by sourcetype but still show one overlay line overall?

Try this:

  index=name
| timechart span=1h sum(eval(quantity/12)) as current_usage max(total_capacity) as available by sourcetype
| rename "current_usage: *" as * | eval available = 0
| foreach "available: *" [eval available = if(isnull('<<FIELD>>' OR '<<FIELD>>' < available, available, '<<FIELD>>')]
| eventstats max(available) as available | fields - "available: *"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

My search doesn't yield ten sourcetypes and one available column?

0 Karma

mmouse88
Path Finder

sorry again, use this link as example http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart. Example one is a stacked bar chart, the type is ProductName. Instead of bar chart, mine is stacked area chart with 10 types shown. Maybe i was using the wrong terminology, sourcetype vs type.

0 Karma

mmouse88
Path Finder

you are correct that your search will not yield 10 sourcetypes and one available column if you use the original search. My question was how to change it to display 10 sourcetypes on the visualization tab with the line chart and area chart and 10 columns on the Statistics tab

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That doesn't reduce my confusion. If the search I posted earlier doesn't miraculously do what you need you should post a batch of sample data along with how you want the chart to look like.

0 Karma

mmouse88
Path Finder

basically, if I break the last search:

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

replace it with

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h by sourcetype limit=10

The area chart wll display 10 sourcetypes. Hope this helps.

0 Karma

mmouse88
Path Finder

sorry for the confusion. Basically i want to show two charts: line and area where the area would like to breakdown what current_usage is. current_usage is powertools. Powertools has hammer, wrench, screwdriver, etc.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...