Splunk Search

Why am I unable to produce a stacked chart and joining 2 searches is giving 4 columns/series?

Motivator

I have a search as follows:

search1 | join type=outer _time [search search2] |

It is rather long and basically does a prediction in the first search and a prediction in the second chart.
This is the data that I get:

_time    kpi1        predict_kpi1   kpi2         predict_kpi2
2010-09   179.539643            
2010-10   239.270968            
2010-11   307.206667                  299.002293        
2010-12   405.039032                  370.322798        
...
2018-07             21586.06208              27442.36503
2018-08             21813.79108              28051.52905
2018-09             22041.52008              28660.69308

the problem now that the chart is not doing a stacked area chart for all 4 series in the graph...sigh!!

This is what I am getting.

picture of staked chart that is not completely stacked

Ideally I would like to be able to achieve something like this in excel. Is this a splunk limitation because I am using the join? I mean the data is right and I can take it and do what I want in excel but I can't repeat it in splunk. Can anyone advise on this?

excel version

NOTE: see my related question here that got me to this point

0 Karma

Revered Legend

Try this

 search1 | join type=outer _time [search search2] | fillnull value=0 
0 Karma

Motivator

fills all the blanks with 0 but the stacking still does not work. there is only 97 rows of data. splunk should be abble to handle this?

0 Karma

Community Manager
Community Manager

Hi @HattrickNZ

Was going to try and help reformat your data, but I'm not sure what values are supposed to align with which columns. If you let me know what is supposed to go under kpi1, predict_kpi1, kpi2, and predict_kpi2, I can take care of it for ya.

0 Karma

Motivator

@ppablo, hope this explains how the sample data aligns.
179 is kpi1
299 is predict_kpi1
21586.06208 is predict_kpi1
27442.36503 is predict_kpi2

0 Karma

Community Manager
Community Manager

I think you meant 299 is kpi2? If yes, then my work is done 🙂

0 Karma

Motivator

no, kpi2 and predict_kpi2 are blank, they only get values later on but caan't be seen in this sample set.tks

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!