Splunk Search

chart with multiple scales?

Justin_Grant
Contributor

Can Splunk show (and if so, how?) different scales for each line in a line graph while auto-computing the correct scale for each (meaning the lines will auto-size their height based on the max value for each metric)?

more details: in a security-related view, I'd like to chart attempted logins/day and failed logins/day on the same line graph. But attempted logins will (hopefully!) outnumber failed logins by 100x or more. So I'd like to use different scales for each metric.

Tags (2)

sxp5686
Explorer

Can Anyone tell how we can get below graalt textgh using splunk.

,Can anyone tell how to get below graph using splunk.alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@sxp5686, You're asking a new question in a thread that is more than 7 years old. For better chances at getting help, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

breischl
Engager

I found that you can do this, at least in v6.1.
In the visualization editor...

  1. Select the "Chart Overlay" tab
  2. type in your alternate series (ie, the one to put on the right side y-axis) in the first field
  3. Set "View as Axis" to true
  4. Select a reasonable scale

That should do it.

Jason
Motivator

I am at a client that is requesting this functionality as well. They want to be able to plot the number of sessions opened (in the thousands) and the percentage of memory used on the same graph to show correlation.

Is this possible?

Justin_Grant
Contributor

looking at the other answers, it looks like (so far at least) no one has figured out how to do this.

0 Karma

Yancy
Path Finder

Have you tried applying a log scale to the graph? Seems like a good use case for graphing counts that are in the 10x or 100x difference.

I was hopeful that the Multiseries 'split' chart type would do this, but each of the series adhere to the same scale.

I also think this could be good seperated into two stacked graphs measuring the same time period. You would need to make a view that incorporated separate searches into it.

rotten
Communicator

If you are more interested in relative trends than actual counts you could try normalizing the data. It might be as simple as "| timechart loginCount/max(loginCount) failedCount/max(failedCount)"

That would give you a peak value of "1" for both (when you are the max for your search interval).

Multiple scale graphs are generally considered poor visualizations and should be avoided.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...