Problem to make my bar chart to be stacked

martinovm · ‎10-29-2013

Hi ,
I’m on Splunk version 4.3.2I have a simple query that I can render as a bar chart but I’ve a problem to make my bar chart to be stacked. Is there any requirement for the Splunk query in order to produce proper stacked bar chart. Is there something that I need to know?
Thanks,
Martin

sideview · ‎10-29-2013

The only search-language piece, is to make sure you're using the timechart or chart command to have one field's values basically down the left hand side of the table, and a second field's values listed along the column headers of the table. It looks like you're doing this already, and the rest of it is not something you do in the search language but rather in the dashboard settings.

If you're using the dashboard wizard UI look inside the "Edit Visualization" options for a "stacked" option. It should be pretty easy to find.

If you're hand-editing simple XML, then add

<option name="charting.chart.stackMode">stacked</option>

inside your <chart> element.

and if you're using the "Advanced XML", then put

<param name="charting.chart.stackMode">stacked</param>

inside a HiddenChartFormatter just upstream from your JSChart or FlashChart.

martinovm · ‎10-31-2013

Hey, thanks a lot for your response. I’ve used the

qbolbk59 · ‎11-30-2018

Hi @sideview

I am also facing the same issue. I am using the below query to generate a stacked bar graph but somehow it's not giving me stacked bar graph output. I tried selecting the stacked graph option but didn't helped. Also tried adding the XML entry but still no luck.

Not sure what's the error.

sideview · ‎11-30-2018

stats count by Logged_on, Type will give you what's sometimes called "stats style" output rows. This isn't what you want, and it can't really be "stacked".

What you want is chart count over Logged_on by Type, and this is called "chart style" output rows.

And last but not least, "chart style" rows can be stacked.

Further reading - sometimes in really advanced cases you need to kinda flip things around from one style of rows to another, and this is what xyseries and untable are for, if you've ever wondered. xyseries is an advanced command whose main purpose in life is to turn "stats style" output rows into "chart style" output rows, and untable does the opposite.

qbolbk59 · ‎12-07-2018

Hi @sideview ... indeed. chart count by works fine for me. Thanks for the help.

martinovm · ‎10-29-2013

Thanks, this is the search I've been playing with:
index=* request_id=$request_id$ |`rex_stats`|eval System_CPU_load = round(System_CPU_load *100\,2)|stats max(System_CPU_load) as max_cpu_usage by task_id,phase_id|eval xlabel=phase_id|chart avg(max_cpu_usage) by xlabel,phase_id|rename xlabel AS phase_id|rename avg(max_cpu_usage) as "Average CPU Usage(%)"

lukejadamec · ‎10-29-2013

What is your search?

Problem to make my bar chart to be stacked

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!