Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to produce a stacked chart and joining 2 searches is giving 4 columns/series?

HattrickNZ
Motivator
‎03-29-2016 03:47 PM

I have a search as follows: 

search1 | join type=outer _time [search search2] |

It is rather long and basically does a prediction in the first search and a prediction in the second chart.
This is the data that I get:

_time    kpi1        predict_kpi1   kpi2         predict_kpi2
2010-09   179.539643            
2010-10   239.270968            
2010-11   307.206667                  299.002293        
2010-12   405.039032                  370.322798        
...
2018-07             21586.06208              27442.36503
2018-08             21813.79108              28051.52905
2018-09             22041.52008              28660.69308

the problem now that the chart is not doing a stacked area chart for all 4 series in the graph...sigh!!

This is what I am getting.

picture of staked chart that is not completely stacked

Ideally I would like to be able to achieve something like this in excel. Is this a splunk limitation because I am using the join? I mean the data is right and I can take it and do what I want in excel but I can't repeat it in splunk. Can anyone advise on this?

excel version

NOTE: see my related question here that got me to this point

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎03-29-2016 04:04 PM

Try this

 search1 | join type=outer _time [search search2] | fillnull value=0
0 Karma
Reply

HattrickNZ
Motivator
‎03-29-2016 04:10 PM

fills all the blanks with 0 but the stacking still does not work. there is only 97 rows of data. splunk should be abble to handle this?

0 Karma
Reply

ppablo
Retired
‎03-29-2016 03:53 PM

Hi @HattrickNZ

Was going to try and help reformat your data, but I'm not sure what values are supposed to align with which columns. If you let me know what is supposed to go under kpi1, predict_kpi1, kpi2, and predict_kpi2, I can take care of it for ya.

0 Karma
Reply

HattrickNZ
Motivator
‎03-29-2016 04:08 PM

@ppablo, hope this explains how the sample data aligns.
179 is kpi1
299 is predict_kpi1
21586.06208 is predict_kpi1
27442.36503 is predict_kpi2

0 Karma
Reply

ppablo
Retired
‎03-29-2016 04:27 PM

I think you meant 299 is kpi2? If yes, then my work is done 🙂

0 Karma
Reply

HattrickNZ
Motivator
‎03-31-2016 01:14 PM

no, kpi2 and predict_kpi2 are blank, they only get values later on but caan't be seen in this sample set.tks

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...