Solved: Add a line overlay to a column chart?

msarro · ‎05-28-2013

Hi everyone. I have browsed around and found things which are kind of similar, but not quite what I'm looking for.

We are generating a column chart currently. What we need is the ability to draw a line across it at a set threshold, so we can very easily see when the columns exceed that threshold. Can someone provide some direction as to how this can best be accomplished? Preferably with simple XML if at all possible (if not, I'll switch over, but I greatly prefer simplified over advanced due to clarity).

I ended up switching over to advanced XML for this. Here is the XML:

Trunking POC 2

Gilberto_Castil · ‎05-28-2013

Please read this article to get through the basic steps in the advanced XML. In essense, you need enough data points for the column and line points to paint on the same Y axis.

As for the simple XML, here is an example:

Purpose: Draw activity level by top 3 sourcetypes (stacked columns) and display sum of KBPS (line). Here is a search for that:

index=_internal group="per_sourcetype_thruput" earliest=24h@h
| timechart count by series limit=3 
| appendcols [search index=_internal group="per_sourcetype_thruput" | timechart sum(kbps) AS KBThroughput] 
| fields - OTHER

Here is Simple XML to draw the items in the order expected. Please pay close attention to the ordering of your own data in terms of columns. In this case we are using a timechart so column 0 is time, column 1 is KBThroughput and columns 2-to-4 are the aggregate sourcetype counts. In other words, you might end up with a tabular data set like so... You end up with five (5) columns and you need to choose the elements which represent your data visualization.

time    KBThroughput    access_combined splunkd websphere_trlog
2013-05-27T15:00:00.000+0000    87.409021   58  58  31
2013-05-27T15:30:00.000+0000    86.310125   58  58  32
...

The relationship in the data display are 0:1 as x:y for the KBThroughput and 0:2,3,4 for the x:y1,y2,y3 for the aggregate columns which represent the count of messages by sourcetype.

Finally, here is the sample XML.

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>sample overlay simple xml</label>
  <row>
    <chart>
      <searchName>sample overlay</searchName>
      <title>sample overlay</title>
      <option name="charting.axisTitleX.text">Last 24 Hours</option>
      <option name="charting.primaryAxisTitle.text">Activity</option>

      <option name="charting.data0">results</option>
      <option name="charting.data0.jobID">@data.jobID</option>


      <option name="charting.data1">view</option>
      <option name="charting.data1.table">@data0</option>
      <option name="charting.data1.columns">[0,2,3,4]</option>
      <option name="charting.chart1.data">@data1</option>               
      <option name="charting.chart1">column</option>
      <option name="charting.chart1.nullValueMode">gaps</option>
      <option name="charting.chart1.stackMode">stacked</option>
      <option name="charting.chart1.columnAlignment">0.5</option>      

      <option name="charting.data2">view</option>
      <option name="charting.data2.table">@data0</option>
      <option name="charting.data2.columns">[0,1]</option>
      <option name="charting.chart2">line</option>
      <option name="charting.chart2.data">@data2</option>               
      <option name="charting.chart2.showMarkers">true</option>
      <option name="charting.chart2.markerSize">5</option>

      <option name="charting.layout.charts">[@chart1,@chart2]</option>
      <option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY]</option>        

    </chart>
  </row>
</dashboard>

I hope this helps.

View solution in original post

Gilberto_Castil · ‎05-28-2013

Please read this article to get through the basic steps in the advanced XML. In essense, you need enough data points for the column and line points to paint on the same Y axis.

As for the simple XML, here is an example:

Purpose: Draw activity level by top 3 sourcetypes (stacked columns) and display sum of KBPS (line). Here is a search for that:

index=_internal group="per_sourcetype_thruput" earliest=24h@h
| timechart count by series limit=3 
| appendcols [search index=_internal group="per_sourcetype_thruput" | timechart sum(kbps) AS KBThroughput] 
| fields - OTHER

Here is Simple XML to draw the items in the order expected. Please pay close attention to the ordering of your own data in terms of columns. In this case we are using a timechart so column 0 is time, column 1 is KBThroughput and columns 2-to-4 are the aggregate sourcetype counts. In other words, you might end up with a tabular data set like so... You end up with five (5) columns and you need to choose the elements which represent your data visualization.

time    KBThroughput    access_combined splunkd websphere_trlog
2013-05-27T15:00:00.000+0000    87.409021   58  58  31
2013-05-27T15:30:00.000+0000    86.310125   58  58  32
...

The relationship in the data display are 0:1 as x:y for the KBThroughput and 0:2,3,4 for the x:y1,y2,y3 for the aggregate columns which represent the count of messages by sourcetype.

Finally, here is the sample XML.

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>sample overlay simple xml</label>
  <row>
    <chart>
      <searchName>sample overlay</searchName>
      <title>sample overlay</title>
      <option name="charting.axisTitleX.text">Last 24 Hours</option>
      <option name="charting.primaryAxisTitle.text">Activity</option>

      <option name="charting.data0">results</option>
      <option name="charting.data0.jobID">@data.jobID</option>


      <option name="charting.data1">view</option>
      <option name="charting.data1.table">@data0</option>
      <option name="charting.data1.columns">[0,2,3,4]</option>
      <option name="charting.chart1.data">@data1</option>               
      <option name="charting.chart1">column</option>
      <option name="charting.chart1.nullValueMode">gaps</option>
      <option name="charting.chart1.stackMode">stacked</option>
      <option name="charting.chart1.columnAlignment">0.5</option>      

      <option name="charting.data2">view</option>
      <option name="charting.data2.table">@data0</option>
      <option name="charting.data2.columns">[0,1]</option>
      <option name="charting.chart2">line</option>
      <option name="charting.chart2.data">@data2</option>               
      <option name="charting.chart2.showMarkers">true</option>
      <option name="charting.chart2.markerSize">5</option>

      <option name="charting.layout.charts">[@chart1,@chart2]</option>
      <option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY]</option>        

    </chart>
  </row>
</dashboard>

I hope this helps.

dablackgoku1234 · ‎11-10-2015

Is it possible to achieve this overlay but with different scales for the line vs the columns? My values for the column chart is less than 100, however, the line chart will be over 100,000.

vxsplunk · ‎12-09-2015

Yes, look at this example:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/Chartcontrols#Chart_overlay_example_.28dual...

lguinn2 · ‎01-21-2014

This is documented as a migration issue in moving from Splunk 5 to Splunk 6. In Splunk 6, simple XML uses JavaScript, not Flash. The technique used here requires Flash.

http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/Migration#Flash_charting_not_available...

msarro · ‎05-28-2013

That's almost perfect! I got rid of the marker size and showmarker options (it's a threshold line and they looked a bit weird). The only thing left is to get splunk to somehow draw the line the whole way across which I'm not sure is possible (atm it draws to the middle of each column). Either way, this is more than close enough to work 🙂 Thank you for your help!

Gilberto_Castil · ‎05-28-2013

Glad the simple XML works for you. You are are almost there. The markers for the line are, be default, aligned to the left. You cannot realign the line markers but you can set the position for the column. See updated example to reflect that.

msarro · ‎05-28-2013

Also, I attempted with the simple XML and it almost works except the line is not drawn across the final column, so it only appears to cross the first 23 columns. I have verified that the table columns don't include any missing data, so I'm not sure what's going on.

msarro · ‎05-28-2013

I appreciate your help, but still am not having luck. The chart is still being generated as a column chart, with two columns for every timespan (one for the count, one for the threshold). The column is supposed to be used for the count, and the threshold as mentioned is supposed to be the line. I must be missing something here... I added the xml above

Gilberto_Castil · ‎05-28-2013

Sorry. I missed that point. An overlay in simple XML is possible. I am ammending my answer with an example.

msarro · ‎05-28-2013

So, is there no way to do do this without using advanced XML?

Add a line overlay to a column chart?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!