Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to plot cumulative stack timechart ?

meamitjain
New Member
‎01-14-2013 12:38 PM

Hello, I have timechart by location requirement. Also client want to see the cumulative value on the stacked bar so that he dont have to add up numbers to find total of that minute. Is there a formatting option on chart or something I could do within the query.

Thanks
Amit

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-15-2013 02:18 PM

The following example shows how you can add fields numerically (never mind that it does not add hours and minutes correctly, the point is to demonstrate addition through the eval command, with data that is available on every splunk instance)

index=_internal  | head 3| eval hm = date_hour + date_minute| eval hms= hm + date_second|  table time date_hour date_minute date_second hm hms

As you can see, the table contains the original fields as well as the computed ones.

To remove fields you do not want - add the | fields - fieldname1 fieldname2 etc to the end of the search.

To present the table as a graph, press the 'Results Chart' icon (looks like a small bar-chart, just below where it says "X matching results". There you can play around with various options, such as stacking etc.

You could/should perhaps also take a look at the proper charting commands, such as chart and timechart. Or stats, which may also prove useful.

hope this helps,

Kristian

0 Karma
Reply

meamitjain
New Member
‎01-15-2013 06:36 AM

sample events count:
Time,Location1,Location2,Location3
12:31,30,40,50
12:32,40,50,60
12:33,20,30,40

sample output expected:
Time,Location1,Location2,Location3
12:31,30,70,120
12:32,40,90,150
12:33,20,50,90

On stacked chart I want to show the values as cumulative.

Hope this helps.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-14-2013 01:57 PM

please provide more information. sample events. sketch of desired output.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...