Splunk Search

Simple XML: Stacked column chart not working

SRIVATSAN_IYER
Explorer

I have very simple chart that shows time spent in a specific stage. The query behind it looks like below:

source="/home/jboss/jboss-as-7.1.1.Final/standalone/log/server.log" "Stage specific metrics: " | 
rex max_match=0 "Stage specific metrics: (?<Stage1>[^,]+),(?<Stage2>[^,]+),(?<Stage3>[^,]+),(?<Stage4>[^,]+),(?<Stage5>[^,]+),(?<Stage6>[^,]+),(?<Stage7>[^,]+),(?<Stage8>.*)" | table _time Stage1 Stage2 Stage3 Stage4 Stage5 Stage6 Stage7 Stage8

The above query is saved as "Stage Specific Metrics". The simple XML I am using in a Dashboard (form to be more accurate) looks like below:

  <row>
    <table>
      <searchName>Stage Specific Metrics Average</searchName>
      <title>Stage Specific Metrics Averaged (REVEAL)</title>
    </table>
    <chart>
      <searchName>Stage Specific Metrics</searchName>  
      <title>Time Spent Per Stage (REVEAL)</title>
      <option name="charting.chart">column</option>
      <option name="charting.stackMode">stacked100</option>      //**Line of concern: value disregarded by Splunk**
      <option name="charting.gaugeColors">[0X6BB7C8,0XFAC61D,0XD85E3D,0X956E96,0XF7912C,0X9AC23C,0X998C55]</option>
    </chart>
  </row>

What I have now is a stacked (not 100%) chart. Regardless of what value I set in the above XML (charting.stackMode), I get no change in the final result.

My Requirement

  • To be able to display both "Stacked" and "Stacked100" charts in a single row. (In the SimpleXML above, there's just one of these two charts.)
  • Both of the above charts will have the same query behind them (the one put in above).

My Question

  • What do I need to change in the SimpleXML above, to be able to achieve the results? Or is this a known issue of Splunk that I have hit?

Splunk Version: 5.0.4


I also tried to generate the SimpleXML by first doing the search, choosing the graph properties (such as stacked100%) and then creating a new dashboard from the search. The simpleXML generated looks like below:

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Test Dashboard</label>
  <row>
    <chart>
      <searchName>Stage Specific Metrics - Test</searchName>
      <title>Stage Specific Metrics - Test</title>
      <option name="charting.chart">column</option>
    </chart>
  </row>
</dashboard>

What I observe is that in the SimpleXML generated, there's no such line to specify the chart type. In my opinion, even the search has got nothing to do with how the results show up (ie either as a chart, table, etc). What I do not understand is how exactly Splunk generating a stacked100% chart here even if its not specified in the simpleXML. How exactly is it "remembering" my original search and my preference for the graph when the SimpleXML shows no sign of such configuration.

0 Karma
1 Solution

ziegfried
Influencer

Try to use the option charting.chart.stackMode instead of charting.stackMode:

<option name="charting.chart.stackMode">stacked100</option>

View solution in original post

ziegfried
Influencer

Try to use the option charting.chart.stackMode instead of charting.stackMode:

<option name="charting.chart.stackMode">stacked100</option>

SRIVATSAN_IYER
Explorer

Thanks a lot ziegfried! That solved my problem. 🙂

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...