Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart of two stats with split by same field, one as overlay, then color code columns based on uncharted value

cblanton
Communicator
‎09-27-2019 03:54 PM

I've been doing ugly hacks around this need for months and now I need to dig in and figure out an eloquent solution even if it means learning some new skills. I need to | timechart two stats - Total Turnin Time and Files changed per Turnin, split by the same FileID. I'd like the Files changed per Turnin value to be an overlay as below. I can achieve this below by manually selecting the overlay fields for each concatenation of Files Changed per Turnin:FileID, but this won't transfer to a dashboard where FileID is filled by token. Is there a way to use a wildcard in the overlay field?

It's important to know that from here the FileID is being passed through drill down. I was working on a concatenation of the FileID and value of Files Changed per Turnin so that it would be displayed in the tooltip, but then I couldn't pass the FileID.

Finally, I'd like to color-code the columns based on yet another filed value, TurninStatus. You can see below that this search is only for TurninStatus=P. I currently have an entirely separate view for TurninStatus=F.

Thanks very much for any thoughts or suggestions on any part of the issue.

alt text

0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!