Splunk Search

How to overlay 2 searches to generate linechart and area chart?

mmouse88
Path Finder

Using 6.1, I would like to create a horizontal line with area chart. I have read so many examples and my search command has produce very close result. Only thing missing is to show by sourcetype limit=n (number). Here's my command:

index=name | bin _time span=15m | eventstats max(total_capacity) as Available | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

Right now it shows the horizontal line which is available and under is the area chart which is current_usage. very close to what i want.

I would like to some how show current_usage is a sourcetype. example: by sourcetype limit=n (number). Instead solid area chart, it has a breakdown what the sourcetype is. sourcetype = powertools (hammer, wrench, screwdriver, etc).

Thanks.

0 Karma
1 Solution

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

View solution in original post

0 Karma

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm not quite sure if I understand your question correctly, are you trying to split the area by sourcetype but still show one overlay line overall?

Try this:

  index=name
| timechart span=1h sum(eval(quantity/12)) as current_usage max(total_capacity) as available by sourcetype
| rename "current_usage: *" as * | eval available = 0
| foreach "available: *" [eval available = if(isnull('<<FIELD>>' OR '<<FIELD>>' < available, available, '<<FIELD>>')]
| eventstats max(available) as available | fields - "available: *"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

My search doesn't yield ten sourcetypes and one available column?

0 Karma

mmouse88
Path Finder

sorry again, use this link as example http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart. Example one is a stacked bar chart, the type is ProductName. Instead of bar chart, mine is stacked area chart with 10 types shown. Maybe i was using the wrong terminology, sourcetype vs type.

0 Karma

mmouse88
Path Finder

you are correct that your search will not yield 10 sourcetypes and one available column if you use the original search. My question was how to change it to display 10 sourcetypes on the visualization tab with the line chart and area chart and 10 columns on the Statistics tab

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That doesn't reduce my confusion. If the search I posted earlier doesn't miraculously do what you need you should post a batch of sample data along with how you want the chart to look like.

0 Karma

mmouse88
Path Finder

basically, if I break the last search:

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

replace it with

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h by sourcetype limit=10

The area chart wll display 10 sourcetypes. Hope this helps.

0 Karma

mmouse88
Path Finder

sorry for the confusion. Basically i want to show two charts: line and area where the area would like to breakdown what current_usage is. current_usage is powertools. Powertools has hammer, wrench, screwdriver, etc.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...