Solved: splunk v6.1.2 + overlay + just want 2 bars with on...

HattrickNZ · ‎03-05-2015

I have the below graph

I get this graph with a query similar to:

...| stats max(c117) as whatever max(limit2) as "whatever with a space" by userLabel

which gives me data that looks like:

userLabel   whatever    whatever with a space
PR          60071             77777
AM          20762             88888

Now what I want is the whatever to be a column overlayed on the yellow column. I do not want it to be a line, splunk just does that when I select overlay for whatever.
Can this be done in the normal formatting? Or do i have to do this in simple xml or advanced xml

HattrickNZ · ‎03-15-2015

tks but that did not work. I did find a way to do what i wanted, and the search looks something like below. I basically have to subtract Limit from Usage and then stack limit4Graph oon top of Usage.

... | stats max(c117492014) as Usage max(limit2) as Limit by userLabel | eval percent=Usage/Limit*100 | eval limit4Graph=Limit-Usage | fields userLabel Usage limit4Graph percent

This gives me something like this.

NOTE I have add a precent column as I awat to overlay the percent value on top of this and not have this percent line present.This is something else I am working on.

View solution in original post

HattrickNZ · ‎03-15-2015

tks but that did not work. I did find a way to do what i wanted, and the search looks something like below. I basically have to subtract Limit from Usage and then stack limit4Graph oon top of Usage.

... | stats max(c117492014) as Usage max(limit2) as Limit by userLabel | eval percent=Usage/Limit*100 | eval limit4Graph=Limit-Usage | fields userLabel Usage limit4Graph percent

This gives me something like this.

NOTE I have add a precent column as I awat to overlay the percent value on top of this and not have this percent line present.This is something else I am working on.

stephane_cyrill · ‎03-05-2015

Hi HattrickNZ ,

If having only whatever as a culumn is ok for you , just exchange the position of the fields whatever and whatever a space like you can see below:enter code here

 ...| stats  max(limit2) as "whatever with a space"  max(c117) as whatever by userLabel

And you can set up whatever a space as line for the chart overlay if it is what you want.

stephane_cyrill · ‎03-13-2015

    <form>
    <label>Bar Chart</label>
    <description>Example using a basic bar chart</description>
    <fieldset submitButton="false">
    <input type="time" token="time_token" searchWhenChanged="true">
    <label></label>
    <default>
    <earliestTime>-7d@h</earliestTime>
    <latestTime>now</latestTime>
    </default>
    </input>
    </fieldset>
    <row>
    <panel>
    <chart>
    <searchString>index="_internal" | stats max(bytes) as "whatever with a space"   max(current_size) as whatever by sourcetype </searchString>
    <earliestTime>$time_token.earliest$</earliestTime>
    <latestTime>$time_token.latest$</latestTime>
    <option name="charting.chart">bar</option>
    <option name="charting.axisY.scale">log</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    </chart>

    </panel>
    </row>
    </form>

HattrickNZ · ‎03-08-2015

@stephane_cyrille maybe I don't understand. But I want all columns with one column overlapping the other column. I do not want any line chart. Does this make sense? maybe i will edit my answer to show exactly what i want.

stephane_cyrill · ‎03-13-2015

OK if i understand well you need to transform that line into a culumn in the same chart.
Let's try to use simple xml.

stephane_cyrill · ‎03-13-2015

in the code below replace my search string with your own .

splunk v6.1.2 + overlay + just want 2 bars with one overlayed on the other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms