Dashboards & Visualizations

Creating a stacked line chart not by time

byu168
Path Finder

Hi all,

Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart.

Sample table from query 1:

run_id             duration            sum
x                    4                20
                     5                         
                     6
                     5
y                   10                50

Duration is a multivalue field in this case and the sum is just a single sum of all the steps.

Sample table from query 2

run_id step duration cumulative sum
x 1 4 4
x 2 5 9
x 3 6 15
x 4 5 20
y 1 10 10

This table shows the step name and the sum is a cumulative sum (using streamstats).

I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

View solution in original post

0 Karma

woodcock
Esteemed Legend

Show us some raw events and a mockup of the chart that you desire (I do not get it).

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Would you give this a try. Search:

Query 2 giving fields run_id step duration cumulative sum (don't care about cumulative sum)
| chart sum(duration) over run_id by step

Display it in stacked column chart. So each column would represent a run_id and each column will be splitted into duration for step. Total height of column will be total duration (not calculated but can see visually).

0 Karma

byu168
Path Finder

I had intended to avoid using a stacked column chart because I didn't think it would scale well with the amount of runs we had but it actually looks fine. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...