Splunk Search

How do I create a stacked bar chart?

lakromani
Builder

I have 3 servers: host=host1, host2, and host3
From these servers I get s_status=ok, nok

I would like to get a graph where I get number of ok from all three servers in one column with servers listed with different colors in the same column.

Eks (Selecting Column as display format)

s_status=ok | timechart count by s_status

This gives me each a column with the sum of all three servers (correct number, but missing the color of each server)

Then I try

s_status=ok | timechart count by host

This gives me the three servers side by side with different colors.

I want them stacked with each server in the same column, but different colors and size depending on the number of ok

Maybe I need to use chart instead of timechart, but I do not know how to put it together.

Tags (3)
1 Solution

pwmcity
Path Finder

When you're on the visualizations tag (you can see the graph), look for the formatting options, there's an option to stack there.
I'd say you're better to go with your first option though, that way you can have your 'ok's stacked as blue, and your 'nok's stacked as red.... which is more alarming to see than a gap in blue

View solution in original post

hgrow
Communicator

Hi lakromani,

there is a dropdown menu with some format options for your visualization.

If you click Format -> Genereal -> Stack Mode: stacked its might be what you are looking for.

Greetings

lakromani
Builder

You are correct, just as pwmcity implied to. Thanks.

0 Karma

tom_frotscher
Builder

Hi,

to get them stacked: Stacked is a format option of the column chart:

alt text

Is your search s_status=ok | timechart count by host in addition to the stacked option what you wanted? Or do you need something else?

Greetings Tom

lakromani
Builder

Thanks, just as pwmcity answered, but yours are more visual 🙂

0 Karma

pwmcity
Path Finder

When you're on the visualizations tag (you can see the graph), look for the formatting options, there's an option to stack there.
I'd say you're better to go with your first option though, that way you can have your 'ok's stacked as blue, and your 'nok's stacked as red.... which is more alarming to see than a gap in blue

lakromani
Builder

Thanks, so simple. I have overclocked the stack mode in Format tab ....

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...