Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Overlay value in time chart

tanasami
New Member
‎03-18-2020 10:49 AM

There are multiple programs running every day and I want to visualise the volume and duration of each program by day.

The data looks like this : 

 _time, programtype, volume, daily
 20/01/2020,program1,8000,5444
 20/01/2020,program2,8000,1224
 21/01/2020,program1,1000,1123
 21/01/2020,program2,1000,1122

If i use a timechart, (e.g. | timechart span=1d values(volume) sum(duration) by programtype to display the data, I would get 4 graphs being shown. 

VolumeProgram1
VolumeProgram2
DurationProgram1
DurationProgram2

What i want to show is, 3 graphs with the volume being generic.
*All programs will always have the same volume on the day.
How would the query look like if i want to show :

Volume
DurationProgram1
DurationProgram2

Is there a way to merge the data ?

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎03-22-2020 12:26 PM

First of all, values() is not a proper aggregation function for timechart and it really should give you an error (if it does not, that is a bug on Splunk's part), so let's start by switching to avg() (you might prefer max() or something else). So try this:

| timechart span=1d avg(volume) AS volume sum(duration) AS duration BY programtype
| eval volume = 0
| foreach "volume:*" [ eval volume = volume + '<<FIELD>>' | fields - "<<FIELD>>" ]

Here is a run-anywhere example:

|makeresults | eval _raw="_time          programtype  volume    daily
20/01/2020     program1     8000      5444
20/01/2020     program2     8000      1224
21/01/2020     program1     1000      1123
21/01/2020     program2     1000      1122"
| multikv forceheader=1
| eval _time = strptime(time, "%d/%m/%Y")
| rename daily AS duration
| timechart fixedrange=f span=1d avg(volume) AS volume sum(duration) AS duration BY programtype
| eval volume = 0
| foreach "volume:*" [ eval volume = volume + '<<FIELD>>' | fields - "<<FIELD>>" ]
0 Karma
Reply

to4kawa
Ultra Champion
‎03-18-2020 11:51 AM 
|makeresults
| eval _raw="_time, programtype, volume, daily
20/01/2020,program1,8000,5444
20/01/2020,program2,8000,1224
21/01/2020,program1,1000,1123
21/01/2020,program2,1000,1122"
| rex mode=sed "s/(?m)^\s+//g"
| multikv forceheader=1
| eval _time=strptime(time,"%d/%m/%Y")
| table _time, programtype, volume, daily
| rename COMMENT as "this is sample you provide. From here, the logic"
| timechart span=1d values(volume) as volume sum(daily) as duration by programtype sep=""
| foreach volume* [ eval Volume = max('<<FIELD>>') ]
| rename duration* as *
| fields - volume*
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...