For example, I'm creating a dashboard with two timecharts like below:
eventtype="watchlist_result"
| timechart span=1h limit=0 first(nDevices) by name
| fillnull value=0
eventtype="watchlist_result"
| timechart span=1h limit=0 first(nActivities) by name
| fillnull value=0
And in the dashboard I configure using 'Trellis' so I get chart for each 'name'... One thing that is cumbersome is that I end up with two panels, and if user wants to look at the device
and activity
count for the same name
, they have to scroll on both panels...
However, I would like to bundle the two timecharts (since they are split by the same field 'name') into one panel, so that charts with same name
are presented together and user just needs to scroll once,
[Edit]
To clarify further, the nDevices
, nActivities
and name
are fields extracted from the event,
Since the charts are all split by the same field name
, i would like to have a way to have the device/activity chart from the same name
shown together like a pair in trellis,,, something look like below:
Any luck with this? I'm in a similar situation right now
Merge the timechart for to different series in one and then Use Trellis Formatting Options in UI to Split By name
.
eventtype="watchlist_result"
| timechart span=1h limit=0 first(nDevices) as nDevices first(nActivities) as nActivities by name
| fillnull value=0
Following is the Simple XML option for Splitting Trellis by name
<option name="trellis.splitBy">name</option>
Since your scale for nDevice (in example max is 1) and scale for nActivities differ by a lot ideally you should create a Chart Overlay
also. Following will create an overlay for nDevices with a inherited scale to interpret device increments/decrements easily according to activities.
<option name="charting.axisTitleY.text">nActivities</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.text">nDevices</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart.overlayFields">nDevices</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.nullValueMode">zero</option>
PS: Chart Overlay is optional but I feel you would be able to get better interpretation with the same.
hi @niketnilay, i've been trying to implement your solution here for the same issue. i would like to use the overlay without trellis, but the fields become a concatenation with the by value so the overlayField doesn't work. i'm able to make it work in the GUI by manually choosing each concatenated value for a particular search, but it doesn't generalize for the dashboard.
thanks for any suggestions. is it possible to have a wildcard in the field name or something similar, for example?
@cblanton if you have more than one aggregation along with a split by field in timechart then you will have multiple series names created in regular visualizations which is expected behavior. And this is was Trellis solves. However, if you do not want Trellis could you please elaborate on what works for you in Search but not in dashboard? Also if possible add your search query some dummy sample data and screenshot of the results (both expected and actual). Please mock/anonymize any sensitive information before posting.
thanks, @niketnilay, I went ahead and posted this as a new question. https://answers.splunk.com/answers/773306/timechart-of-two-stats-with-split-by-same-field-on.html
@niketnilay
Thanks a lot for the reply, just updated my question with more context on exactly what I want,,,
Unfortunately i do not want to use overlay with separate scales,,, just would like to know if there is a way to bundle/pair two time charts split by the same field,
If you do not want to overlay you can just choose to create Combined timechart and split Trellis by name. You need not perform the subsequent steps for chart overlay... they were just a suggestion.
Start with this...
eventtype="watchlist_result"
| eval fan = mvrange(0,2)
| mvexpand fan
| eval value=if(fan=0,nDevices,nActivities)
| eval type=if(fan=0,name." Devices", name." Activities")
| timechart span=1h limit=0 first(value) by type
| fillnull value=0
I'm not sure exactly what the meaning of nDevices
or nActivities
is, or why you have by name
but have only one set of results, but this should produce a results that combines your prior two results into a single timechart
.
@DalJeanis Thx for showing me this syntax!~
Sorry for not being fully clear, just updated my question with more context,,,
Unfortunately this is not really what I want,
@ee07b291 - The two queries you posted are identical.
@DalJeanis updated,