Splunk Search

How to plot cumulative stack timechart ?

meamitjain
New Member

Hello, I have timechart by location requirement. Also client want to see the cumulative value on the stacked bar so that he dont have to add up numbers to find total of that minute. Is there a formatting option on chart or something I could do within the query.

Thanks
Amit

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

The following example shows how you can add fields numerically (never mind that it does not add hours and minutes correctly, the point is to demonstrate addition through the eval command, with data that is available on every splunk instance)

index=_internal  | head 3| eval hm = date_hour + date_minute| eval hms= hm + date_second|  table time date_hour date_minute date_second hm hms

As you can see, the table contains the original fields as well as the computed ones.

To remove fields you do not want - add the | fields - fieldname1 fieldname2 etc to the end of the search.

To present the table as a graph, press the 'Results Chart' icon (looks like a small bar-chart, just below where it says "X matching results". There you can play around with various options, such as stacking etc.

You could/should perhaps also take a look at the proper charting commands, such as chart and timechart. Or stats, which may also prove useful.

hope this helps,

Kristian

0 Karma

meamitjain
New Member

sample events count:
Time,Location1,Location2,Location3
12:31,30,40,50
12:32,40,50,60
12:33,20,30,40

sample output expected:
Time,Location1,Location2,Location3
12:31,30,70,120
12:32,40,90,150
12:33,20,50,90

On stacked chart I want to show the values as cumulative.

Hope this helps.

0 Karma

kristian_kolb
Ultra Champion

please provide more information. sample events. sketch of desired output.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...