Using 6.1, I would like to create a horizontal line with area chart. I have read so many examples and my search command has produce very close result. Only thing missing is to show by sourcetype limit=n (number). Here's my command:
index=name | bin _time span=15m | eventstats max(total_capacity) as Available | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available
Right now it shows the horizontal line which is available and under is the area chart which is current_usage. very close to what i want.
I would like to some how show current_usage is a sourcetype. example: by sourcetype limit=n (number). Instead solid area chart, it has a breakdown what the sourcetype is. sourcetype = powertools (hammer, wrench, screwdriver, etc).
I'm not quite sure if I understand your question correctly, are you trying to split the area by sourcetype but still show one overlay line overall?
index=name | timechart span=1h sum(eval(quantity/12)) as current_usage max(total_capacity) as available by sourcetype | rename "current_usage: *" as * | eval available = 0 | foreach "available: *" [eval available = if(isnull('<<FIELD>>' OR '<<FIELD>>' < available, available, '<<FIELD>>')] | eventstats max(available) as available | fields - "available: *"
sorry again, use this link as example http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart. Example one is a stacked bar chart, the type is ProductName. Instead of bar chart, mine is stacked area chart with 10 types shown. Maybe i was using the wrong terminology, sourcetype vs type.
you are correct that your search will not yield 10 sourcetypes and one available column if you use the original search. My question was how to change it to display 10 sourcetypes on the visualization tab with the line chart and area chart and 10 columns on the Statistics tab
That doesn't reduce my confusion. If the search I posted earlier doesn't miraculously do what you need you should post a batch of sample data along with how you want the chart to look like.
basically, if I break the last search:
index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available
replace it with
index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h by sourcetype limit=10
The area chart wll display 10 sourcetypes. Hope this helps.
sorry for the confusion. Basically i want to show two charts: line and area where the area would like to breakdown what current_usage is. current_usage is powertools. Powertools has hammer, wrench, screwdriver, etc.