Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem with Stacked Area Chart

blurblebot
Communicator
‎10-26-2010 05:45 PM

I have a stacked area chart set up with advanced XML that is giving me an issue with mouseovers. The displayed chart, when moused over, highlights the entire distance from the top line to the X-axis, regardless of what section of the area chart my mouse is over.

With simplified XML charts, only the section of the area chart your mouse is over is highlighted, and I'd like to recreate that functionality in advanced XML.

With my particular chart, I have an area chart of Inbound, Outbound, and Internal sessions over time. Outbound is positioned as the top section of area chart, and whether I'm mousing over Internal or Inbound sections, only the Outbound data is displayed in the mouse-over's pop-up.

Below is my XML for reference.

    <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="TCP Sessions by Direction" autoRun="False">
    <param name="search">`tcp-end` | timechart count(inst) by dir | rename inb AS Inbound | rename outb AS Outbound | rename int AS Internal| fields - ext</param>
    <param name="groupLabel">Session Counts</param>
    <module name="ViewstateAdapter">
      <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
          <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
              <param name="charting.primaryAxisTitle.text">Timeline</param>
              <param name="charting.secondaryAxisTitle.text">Count</param>
              <param name="charting.legend.placement">left</param>
              <param name="charting.chart">area</param>
              <module name="FlashChart">
                <param name="width">100%</param>
                <module name="ConvertToDrilldownSearch">
                  <module name="ViewRedirector">
                    <param name="viewTarget">flashtimeline</param>
                  </module>
                </module>
              </module>
              <module name="ViewRedirectorLink">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-26-2010 09:34 PM

You are not actually using the stacked config for this guy, so it's just going with the normal 'unstacked' behavior of area charts.

Add this into your HiddenChartFormatter and you'll be fine. 

<param name="charting.chart.stackMode">stacked</param>

As a side note you can remove the ViewStateAdapter and HiddenFieldPicker modules entirely. Those are cruft that get carried over from the simplified XML. Once in a while they do something useful but in this case they are doing nothing besides making the view harder to read. The simplified XML also does a number of other odd things like littering the view with 'groupLabel' params (which are meaningless), using unnecessary indentation in several places, and having autoRun="False" (False is the default so there's no need to specify it)

Here's a cleaned up version. 

<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="TCP Sessions by Direction">
    <param name="search">`tcp-end` | timechart count(inst) by dir | rename inb AS Inbound | rename outb AS Outbound | rename int AS Internal| fields - ext</param>

    <module name="JobProgressIndicator"></module>

    <module name="EnablePreview">
        <param name="enable">True</param>
        <param name="display">False</param>
    </module>

    <module name="HiddenChartFormatter">
      <param name="charting.primaryAxisTitle.text">Timeline</param>
      <param name="charting.secondaryAxisTitle.text">Count</param>
      <param name="charting.legend.placement">left</param>
      <param name="charting.chart">area</param>
      <param name="charting.chart.stackMode">stacked</param>
      <module name="FlashChart">
        <param name="width">100%</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
    </module>
    <module name="ViewRedirectorLink">
        <param name="viewTarget">flashtimeline</param>
    </module>
</module>
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...