Splunk Search

Simple XML: Stacked column chart not working

SRIVATSAN_IYER
Explorer

I have very simple chart that shows time spent in a specific stage. The query behind it looks like below:

source="/home/jboss/jboss-as-7.1.1.Final/standalone/log/server.log" "Stage specific metrics: " | 
rex max_match=0 "Stage specific metrics: (?<Stage1>[^,]+),(?<Stage2>[^,]+),(?<Stage3>[^,]+),(?<Stage4>[^,]+),(?<Stage5>[^,]+),(?<Stage6>[^,]+),(?<Stage7>[^,]+),(?<Stage8>.*)" | table _time Stage1 Stage2 Stage3 Stage4 Stage5 Stage6 Stage7 Stage8

The above query is saved as "Stage Specific Metrics". The simple XML I am using in a Dashboard (form to be more accurate) looks like below:

  <row>
    <table>
      <searchName>Stage Specific Metrics Average</searchName>
      <title>Stage Specific Metrics Averaged (REVEAL)</title>
    </table>
    <chart>
      <searchName>Stage Specific Metrics</searchName>  
      <title>Time Spent Per Stage (REVEAL)</title>
      <option name="charting.chart">column</option>
      <option name="charting.stackMode">stacked100</option>      //**Line of concern: value disregarded by Splunk**
      <option name="charting.gaugeColors">[0X6BB7C8,0XFAC61D,0XD85E3D,0X956E96,0XF7912C,0X9AC23C,0X998C55]</option>
    </chart>
  </row>

What I have now is a stacked (not 100%) chart. Regardless of what value I set in the above XML (charting.stackMode), I get no change in the final result.

My Requirement

  • To be able to display both "Stacked" and "Stacked100" charts in a single row. (In the SimpleXML above, there's just one of these two charts.)
  • Both of the above charts will have the same query behind them (the one put in above).

My Question

  • What do I need to change in the SimpleXML above, to be able to achieve the results? Or is this a known issue of Splunk that I have hit?

Splunk Version: 5.0.4


I also tried to generate the SimpleXML by first doing the search, choosing the graph properties (such as stacked100%) and then creating a new dashboard from the search. The simpleXML generated looks like below:

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Test Dashboard</label>
  <row>
    <chart>
      <searchName>Stage Specific Metrics - Test</searchName>
      <title>Stage Specific Metrics - Test</title>
      <option name="charting.chart">column</option>
    </chart>
  </row>
</dashboard>

What I observe is that in the SimpleXML generated, there's no such line to specify the chart type. In my opinion, even the search has got nothing to do with how the results show up (ie either as a chart, table, etc). What I do not understand is how exactly Splunk generating a stacked100% chart here even if its not specified in the simpleXML. How exactly is it "remembering" my original search and my preference for the graph when the SimpleXML shows no sign of such configuration.

0 Karma
1 Solution

ziegfried
Influencer

Try to use the option charting.chart.stackMode instead of charting.stackMode:

<option name="charting.chart.stackMode">stacked100</option>

View solution in original post

ziegfried
Influencer

Try to use the option charting.chart.stackMode instead of charting.stackMode:

<option name="charting.chart.stackMode">stacked100</option>

SRIVATSAN_IYER
Explorer

Thanks a lot ziegfried! That solved my problem. 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...