Splunk Search

How to overlay 2 searches to generate linechart and area chart?

mmouse88
Path Finder

Using 6.1, I would like to create a horizontal line with area chart. I have read so many examples and my search command has produce very close result. Only thing missing is to show by sourcetype limit=n (number). Here's my command:

index=name | bin _time span=15m | eventstats max(total_capacity) as Available | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

Right now it shows the horizontal line which is available and under is the area chart which is current_usage. very close to what i want.

I would like to some how show current_usage is a sourcetype. example: by sourcetype limit=n (number). Instead solid area chart, it has a breakdown what the sourcetype is. sourcetype = powertools (hammer, wrench, screwdriver, etc).

Thanks.

0 Karma
1 Solution

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

View solution in original post

0 Karma

mmouse88
Path Finder

I was able to figure this out by using "appendcols"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm not quite sure if I understand your question correctly, are you trying to split the area by sourcetype but still show one overlay line overall?

Try this:

  index=name
| timechart span=1h sum(eval(quantity/12)) as current_usage max(total_capacity) as available by sourcetype
| rename "current_usage: *" as * | eval available = 0
| foreach "available: *" [eval available = if(isnull('<<FIELD>>' OR '<<FIELD>>' < available, available, '<<FIELD>>')]
| eventstats max(available) as available | fields - "available: *"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

My search doesn't yield ten sourcetypes and one available column?

0 Karma

mmouse88
Path Finder

sorry again, use this link as example http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart. Example one is a stacked bar chart, the type is ProductName. Instead of bar chart, mine is stacked area chart with 10 types shown. Maybe i was using the wrong terminology, sourcetype vs type.

0 Karma

mmouse88
Path Finder

you are correct that your search will not yield 10 sourcetypes and one available column if you use the original search. My question was how to change it to display 10 sourcetypes on the visualization tab with the line chart and area chart and 10 columns on the Statistics tab

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That doesn't reduce my confusion. If the search I posted earlier doesn't miraculously do what you need you should post a batch of sample data along with how you want the chart to look like.

0 Karma

mmouse88
Path Finder

basically, if I break the last search:

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h as current_usage first(Available) as available

replace it with

index=name | bin _time span=15m | timechart sum(eval(quantity/12)) span=1h by sourcetype limit=10

The area chart wll display 10 sourcetypes. Hope this helps.

0 Karma

mmouse88
Path Finder

sorry for the confusion. Basically i want to show two charts: line and area where the area would like to breakdown what current_usage is. current_usage is powertools. Powertools has hammer, wrench, screwdriver, etc.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...