Splunk Search

Can I have a chart overlay with 2 series stacked in a Splunk graph?

HattrickNZ
Motivator

I have a chart with 4 series and what I am wondering is "can I have a chart overlay with 2 series stacked in a Splunk graph"?

For example can I get the 2 lines(red and purple) in the below graph stacked in the chart overlay
alt text

this is what I am trying to achieve in excel
alt text

0 Karma
1 Solution

HattrickNZ
Motivator

Can I have a chart overlay with 2 series stacked in a Splunk graph?

thanks to @martin_mueller in the above comments. this is the answer.
Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

View solution in original post

0 Karma

HattrickNZ
Motivator

Can I have a chart overlay with 2 series stacked in a Splunk graph?

thanks to @martin_mueller in the above comments. this is the answer.
Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure: Select bar chart, select stacked mode, put your two overlay serieses into the chart overlay fields, done.

alt text

martin_mueller
SplunkTrust
SplunkTrust

Like this:

index=_internal |timechart span=1m  count by sourcetype | addtotals | eval splunkd_ui_access = Total - splunkd | eval splunkd = Total | fields - Total

alt text

Note how the mongod bar bumps up both lines, and how the splunkd_ui_access line bumps up the splunkd line towards the right. Alter the arithmetic if that's not what you're looking for.

HattrickNZ
Motivator

tks, kind of but slightly different. have got mie sorted for now.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Chart overlays are not stacked, on purpose.

With a bit of postprocessing you could compute the height of the stacked bars for each row, and add this offset to the overlay fields to emulate this behaviour.

HattrickNZ
Motivator

why didn't you say so 🙂 tks. Ill look at doing some preprcessing or as I like to call it fiddling 🙂 But I do think it would be good as an option to be able to stack the chartoverlay, in my case here I am trying to do it on the 2nd y axis, my 2 cents.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The search is index=_internal |timechart count by sourcetype, the entire chart configuration is described above already.

HattrickNZ
Motivator

checked that with my different data set and pretty sure they are not stacked. hard to confim with my dataset,

In your example above I think splunkd and splunkd_ui_access are not stacked.I am not sure but if they were splunkd(the green line) would jump up when splunkd_ui_access jumps up(around 10.55pm). thoughts?

0 Karma

HattrickNZ
Motivator

thats what I thought. not working on my data. can I just confirm that you know that splunkd and splunkd_ui_access are stacked there? Can I have the search to see if i can reproduce at my end? tks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...