Splunk Search

Stacked bar chart for specific columns

prafulljha
New Member

I have four fields, baseline, lvl1,lvl2,lv3. I have to compare baseline vs (lvl1+lvl2+lvl3) to see if sum of lvl1,lvl2,lvl3 is exceeding the baseline.
For that purpose I created stacked chart but it is combining all four fields including baseline, in bar.
Expected result:
alt text

Here blue is baseline and others are lvl1, lvl2,lvl3 in stack mode.

Any help would be great!!

Tags (3)
0 Karma
1 Solution

niketn
Legend

@prafulljha, with the current Column Chart in Splunk, you can either have Stacked or non stacked chart but not a combination of both. So as @cusello has stated, you can use Baseline as overlay field and for coloring the series you would need to use charting.fieldColors Simple XML Chart Configuration (https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...

    <option name="charting.fieldColors">{"lvl1":0x00FF00,"lvl2":0xFFC200,"lvl3":0xFF0000}</option>

As evident, the above expects your series names to be lvl1, lvl2 and lvl3 and also if Baseline is the first series it will be picked up as Blue by default series color for the first series.

alt text

If you need the Columns as per your screenshot, you might have to build your own custom visualization using Highcharts JS library. Refer to documentation for Building Custom Visualization: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

prafulljha
New Member

@niketnilay, thanks for your idea, actually this i have already done, the problem we are facing is difficulties while hovering and while clicking on the bar for lvls to see the data below (as these columns are populating data below in tabular form) as this baseline overlay always comes in between(if the values are of same range).
Here is how my panel looks like.
alt text

Can you please suggest any alternative way to achieve the same in splunk?

Thanks.

0 Karma

niketn
Legend

@prafulljha, with the current Column Chart in Splunk, you can either have Stacked or non stacked chart but not a combination of both. So as @cusello has stated, you can use Baseline as overlay field and for coloring the series you would need to use charting.fieldColors Simple XML Chart Configuration (https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...

    <option name="charting.fieldColors">{"lvl1":0x00FF00,"lvl2":0xFFC200,"lvl3":0xFF0000}</option>

As evident, the above expects your series names to be lvl1, lvl2 and lvl3 and also if Baseline is the first series it will be picked up as Blue by default series color for the first series.

alt text

If you need the Columns as per your screenshot, you might have to build your own custom visualization using Highcharts JS library. Refer to documentation for Building Custom Visualization: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prafulljha
New Member

@niketnilay,
PFB my comments.

0 Karma

niketn
Legend

You have two options,

1) You can use Left Click and Drag option to zoom in to smaller/specific range so that selection of various series is easier.

2) Splunk Enterprise 7.0 came up with new seriesCompare as legend mode using Simple XML Chart configuration: <option name="charting.legend.mode">seriesCompare</option>. This will allow you to hover over a specific region on chart and it will show selected values for all series for that region. This would however work only on Line Chart not Column Chart.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prafulljha
New Member

Hi,
Can anyone provide their inputs ?

Thanks.

0 Karma

niketn
Legend

@prafulljha, can you add some sample tabular data for which you want to create chart?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prafulljha
New Member

@niketnilay, sure. I can provide you the CSVs which i am using, but don't know how to upload the same.

0 Karma

niketn
Legend

You can type the values as text and choose <code> button (101010) while posting. Or else you can take a screenshot and upload to any image sharing site and paste the URL using the image button <img> here.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prafulljha
New Member

@niketnilay -In both the file common field is Dom,so we need to write our query using join so that we can join both the table using field Dom.
(1) For the Baseline count the values are:-
LastUpdatedDateTime Dom Baseline
20:11.5 AA 10
20:11.5 AOL 9
20:11.5 ATL 2
20:11.5 AWD 4
20:11.5 CYB 3
20:11.5 DocM 1
20:11.5 ECL 1
20:11.5 INT 2
20:11.5 LSC 1
20:11.5 LUS 4
20:11.5 NEBAS 1
20:11.5 Ralie 2
20:11.5 SCD 1
20:11.5 TRN 5

(2) For the Levels count these are the values:-
LastUpdatedDateTime Dom MyCount Lvl
56:20.0 TRN 1 Lvl2
56:20.0 ATL 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 CYB 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 LUS 1 Lvl2
56:20.0 CYB 1 Lvl2
56:20.0 ATL 1 Lvl2
56:20.0 CYB 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 LUS 1 Lvl2
56:20.0 AWD 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 CYB 1 Lvl2
56:20.0 TRN 1 Lvl2
56:20.0 ATL 1 Lvl2
56:20.0 LUS 1 Lvl2
56:20.0 INT 1 Lvl3
56:20.0 SCD 1 Lvl3
56:20.0 ATL 1 Lvl3
56:20.0 AA 1 Lvl3
56:20.0 AWD 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 TRN 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AWD 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AOL 1 Lvl1
56:20.0 AA 1 Lvl1
56:20.0 AA 1 Lvl1

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi prafulljha,
do you want to have a graphic solution or a calculated solution?
if you want a graphic solution you could create a new field that sum lvl1,lvl2 and lv3 and then overlay this value in your graphic.

If instead you want a calculated solution you could add to your search a field from eval command

| eval result=if(baseline>lvl1+lvl2+lv3,"OK","NOK")

Bye.
Giuseppe

0 Karma

prafulljha
New Member

I want the graphic solution. I tried overlay option also. But the problem with that is, coincidentally the count of baseline (overlay field) is overlapping with count of stacked bars of fields (lvl1 or lvl2 or lv3) in visualization. So that is not impressive. If there is any way to take care of this situation in this method or any alternate, will be helpful

0 Karma

gcusello
SplunkTrust
SplunkTrust

You could put in your graphic only baseline and the sum of other fields, not staked, so you can see any difference.
Bye.
Giuseppe

0 Karma

prafulljha
New Member

I have to see levels also, like in above pic, different colors represents different levels. Green for Lvl1, Orange for lvl3, Red for lvl3 and blue for baseline

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...