Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating Chart Overlays in Splunk 6

bruceclarke
Contributor
‎12-02-2013 04:41 PM

All,

I'm trying to implement overlays for the dashboard panel I am working on. I want the exactly the same chart as is described in this question http://answers.splunk.com/answers/81701/chart-overlay-and-different-graph-type.

Unfortunately, I can't seem to get Splunk to recognize chart2. It just takes all the display details from the first chart and ignores chart2 completely. Moreover, it doesn't respect the columns property (instead, it just applies the styling to all columns returned from a search).

Does anyone know why this might be? My search returns the exact same format as the example in the link I sent. Below is XML to display the chart overlay:

<form>
  <row>
    <chart>
      <title>Elapsed times per hour</title>
      <searchString>sourcetype=perfLogging browserElapsed!="None" roundTripElapsed!="None" networkElapsed!="None" serverElapsed!="None" dbName=$dbName$ event=$event$ | eval browserElapsed=(browserElapsed/1000)  | eval networkElapsed=(networkElapsed/1000)  | eval serverElapsed=(serverElapsed/1000)  | timechart span=1h avg(browserElapsed) as browserElapsed avg(networkElapsed) as networkElapsed avg(serverElapsed) as serverElapsed count as count</searchString>
      <earliestTime>$earliest$</earliestTime>
      <latestTime>$latest$</latestTime>

      <!-- set up alternative palatte for stacked chart, transparancy makes the line chart more visible -->
      <option name="charting.transparentBrushPalette">solidFill</option>
      <option name="charting.transparentBrushPalette.colorPalette">@colorPalette</option>
      <option name="charting.transparentBrushPalette.alpha">0.7</option>

      <!-- set chart to use columns 0,1,2,3 where @data is the original search, and 0 is the time-->
      <option name="charting.data1">view</option>
      <option name="charting.data1.table">@data</option>
      <option name="charting.data1.columns">[0,1,2,3]</option>
      <option name="charting.chart.data">@data1</option>

      <!-- set chart2 to use columns 0,4, where 0 is time, 4 is the count -->
      <option name="charting.data2">view</option>
      <option name="charting.data2.table">@data</option>
      <option name="charting.data2.columns">[0,4]</option>
      <option name="charting.chart2.data">@data2</option>

      <!-- splunk doesnt suppory 2 Y axis, so we have to clone -->
      <option name="charting.axisY2">#axisY</option>

      <!-- clone the Yaxis into axisY2 -->
      <option name="charting.axisLabelsY2">#axisLabelsY</option>

      <!-- clone the Yaxis Labels -->
      <option name="charting.axisLabelsY2.axis">@axisY2</option>

      <!-- associate the new Y2 axis-labels with the Y2 axis -->
      <!--create the 1st chart -->
      <option name="charting.chart">column</option>
      <option name="charting.chart.columnBrushPalette">@transparentBrushPalette</option>
      <option name="charting.chart.stackMode">stacked</option>
      <option name="charting.chart.useAbsoluteSpacing">True</option>
      <option name="charting.chart.columnSpacing">20</option>
      <option name="charting.chart.columnAlignment">.5</option>
      <option name="charting.axisTitleY.text">Time</option>
      <option name="charting.axisLabelsY.placement">left</option>

      <!--create the 2nd chart -->
      <option name="charting.chart2">line</option>
      <option name="charting.chart2.nullValueMode">zero</option>
      <option name="charting.chart2.axisY">@axisY2</option>

      <!-- the Yaxis of chart 2 is a link to charting.axisY2 -->
      <option name="charting.axisTitleY2">axisTitle</option>
      <option name="charting.axisTitleY2.text">Count</option>
      <option name="charting.axisLabelsY2.placement">right</option>

      <!-- throw the structure to layout -->
      <option name="charting.layout.charts">[@chart,@chart2]</option>
      <option name="charting.layout.axisLabels">[@axisLabelsX,@axisLabelsY,@axisLabelsY2]</option>
      <option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY,@axisTitleY2]</option>

      <!--<earliestTime>$earliest$</earliestTime>
      <latestTime>$latest$</latestTime>
      <option name="charting.axisTitleX.visibility">visible</option>
      <option name="charting.axisTitleY.visibility">visible</option>
      <option name="charting.axisX.scale">linear</option>
      <option name="charting.axisY.scale">linear</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
      <option name="charting.chart.stackMode">stacked</option>
      <option name="charting.chart.style">shiny</option>
      <option name="charting.drilldown">all</option>
      <option name="charting.layout.splitSeries">0</option>
      <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
      <option name="charting.legend.placement">right</option>
      <drilldown target="New Dashboard">
        <link>
          <![CDATA[
            /app/search/drilldown_for_event?form.dbName=$dbName$&form.event=$event$&form.elapsedType="$click.name2$"
          ]]>
        </link>
      </drilldown>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>-->
    </chart>
  </row>
</form>

As you can probably tell from the searchString, the return from the search is identical to the return for the search in the linked question. Does anyone know why I wouldn't be getting at least some form of an overlay? Why is Splunk only respecting the first chart? Is this feature deprecated in Splunk 6? Any insight would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-03-2013 09:21 PM

In past versions, Splunk automatically reverted to Flash modules to display chart overlays and used HTML 5 as the default otherwise. As of 6, Splunk no longer automatically switches to the deprecated Flash modules. However, if you convert your simple XML to advanced XML, you can still explicitly invoke Flash for this type of display.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-03-2013 09:21 PM

In past versions, Splunk automatically reverted to Flash modules to display chart overlays and used HTML 5 as the default otherwise. As of 6, Splunk no longer automatically switches to the deprecated Flash modules. However, if you convert your simple XML to advanced XML, you can still explicitly invoke Flash for this type of display.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...