Dashboards & Visualizations

How to bundle two timecharts that are split by the same field

ee07b291
Explorer

For example, I'm creating a dashboard with two timecharts like below:

eventtype="watchlist_result" 
|  timechart span=1h limit=0 first(nDevices) by name 
|  fillnull value=0

eventtype="watchlist_result" 
|  timechart span=1h limit=0 first(nActivities) by name 
|  fillnull value=0

And in the dashboard I configure using 'Trellis' so I get chart for each 'name'... One thing that is cumbersome is that I end up with two panels, and if user wants to look at the device and activity count for the same name, they have to scroll on both panels...

alt text

However, I would like to bundle the two timecharts (since they are split by the same field 'name') into one panel, so that charts with same name are presented together and user just needs to scroll once,

[Edit]

To clarify further, the nDevices, nActivities and name are fields extracted from the event,

Since the charts are all split by the same field name, i would like to have a way to have the device/activity chart from the same name shown together like a pair in trellis,,, something look like below:

alt text

0 Karma

Tom1187
Path Finder

Any luck with this? I'm in a similar situation right now

0 Karma

niketn
Legend

Merge the timechart for to different series in one and then Use Trellis Formatting Options in UI to Split By name.

 eventtype="watchlist_result" 
 |  timechart span=1h limit=0 first(nDevices) as nDevices first(nActivities) as nActivities by name 
 |  fillnull value=0

Following is the Simple XML option for Splitting Trellis by name

    <option name="trellis.splitBy">name</option>

Since your scale for nDevice (in example max is 1) and scale for nActivities differ by a lot ideally you should create a Chart Overlay also. Following will create an overlay for nDevices with a inherited scale to interpret device increments/decrements easily according to activities.

    <option name="charting.axisTitleY.text">nActivities</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.text">nDevices</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.chart.overlayFields">nDevices</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.nullValueMode">zero</option>

PS: Chart Overlay is optional but I feel you would be able to get better interpretation with the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cblanton
Communicator

hi @niketnilay, i've been trying to implement your solution here for the same issue. i would like to use the overlay without trellis, but the fields become a concatenation with the by value so the overlayField doesn't work. i'm able to make it work in the GUI by manually choosing each concatenated value for a particular search, but it doesn't generalize for the dashboard.

thanks for any suggestions. is it possible to have a wildcard in the field name or something similar, for example?

0 Karma

niketn
Legend

@cblanton if you have more than one aggregation along with a split by field in timechart then you will have multiple series names created in regular visualizations which is expected behavior. And this is was Trellis solves. However, if you do not want Trellis could you please elaborate on what works for you in Search but not in dashboard? Also if possible add your search query some dummy sample data and screenshot of the results (both expected and actual). Please mock/anonymize any sensitive information before posting.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cblanton
Communicator

thanks, @niketnilay, I went ahead and posted this as a new question. https://answers.splunk.com/answers/773306/timechart-of-two-stats-with-split-by-same-field-on.html

0 Karma

ee07b291
Explorer

@niketnilay

Thanks a lot for the reply, just updated my question with more context on exactly what I want,,,

Unfortunately i do not want to use overlay with separate scales,,, just would like to know if there is a way to bundle/pair two time charts split by the same field,

0 Karma

niketn
Legend

If you do not want to overlay you can just choose to create Combined timechart and split Trellis by name. You need not perform the subsequent steps for chart overlay... they were just a suggestion.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Start with this...

 eventtype="watchlist_result" 
| eval fan = mvrange(0,2)
| mvexpand fan
| eval value=if(fan=0,nDevices,nActivities)
| eval type=if(fan=0,name." Devices", name." Activities")
|  timechart span=1h limit=0 first(value) by type
|  fillnull value=0

I'm not sure exactly what the meaning of nDevices or nActivities is, or why you have by name but have only one set of results, but this should produce a results that combines your prior two results into a single timechart.

0 Karma

ee07b291
Explorer

@DalJeanis Thx for showing me this syntax!~

Sorry for not being fully clear, just updated my question with more context,,,

Unfortunately this is not really what I want,

DalJeanis
SplunkTrust
SplunkTrust

@ee07b291 - The two queries you posted are identical.

0 Karma

ee07b291
Explorer

@DalJeanis updated,

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...