All Apps and Add-ons

chart overlay with sideview util ?

lain179
Communicator

Hi,

I have two values that I would like to draw on one time chart. Currently I have the following query that doesn't work the way I want it to.

(sourcetype="Application" Type = "A"  AND WorkTime > 0) AND Project="ABC" | chart values(WorkTime) as ATime over _time | appendcols [ search (sourcetype="Application" Type = "B"  AND WorkTime > 0)  AND Project="ABC" | chart values(WorkTime) as BTime over _time ]

The lines for those two values are not drawing correctly on the chart. Did I do something wrong in my query? Is there an example of chart overlay using SideView Util Editor? I know how to do that in XML...Just wondering if there is a way in SideView Util Editor to do that same.

Thanks.

1 Solution

sideview
SplunkTrust
SplunkTrust

No, there's no special shortcut to doing a chart overlay in the Sideview Editor. You'll have to go through the same steps adding modules and setting params that you would do handtyping the Advanced XML, but just do those steps in the authoring tool.

And as an aside, I don't think you need to use append or anything complex like chart overlays to get this done.

You're using append to glue together two searches that are quite similar. Let's just get all the events for both sides in one pass.

`((sourcetype="Application" Type = "A" AND WorkTime > 0) AND Project="ABC ) OR ((sourcetype="Application" Type = "B" AND WorkTime > 0) AND Project="ABC)"

The boolean logic can be simplified down to just

sourcetype="Application" WorkTime > 0 Project="ABC" (Type="A" OR Type="B")

And AND is always redundant in the search clause so we can remove those without changing the meaning.

From here, what you're doing with the multivalued fields is a little strange but my guess is you're using this trick to get the raw values on the chart instead of aggregated statistics of those values.

At any rate, if you're willing to pick a stat, you can see the Type="A" as one line and the Type="B" as another just with:

sourcetype="Application" WorkTime > 0 Project="ABC" (Type="A" OR Type="B") | timechart max(WorkTime) over Type

Granted... you have to pick some kind of aggregation - like max, min, avg, 95th percentile, etc... Sometimes this seems distasteful but the aggregation is really your friend in many ways once you trust it. And often people want to graph "the raw values" even when they have nowhere near enough pixels on their monitor to see the difference anyway.

View solution in original post

sideview
SplunkTrust
SplunkTrust

No, there's no special shortcut to doing a chart overlay in the Sideview Editor. You'll have to go through the same steps adding modules and setting params that you would do handtyping the Advanced XML, but just do those steps in the authoring tool.

And as an aside, I don't think you need to use append or anything complex like chart overlays to get this done.

You're using append to glue together two searches that are quite similar. Let's just get all the events for both sides in one pass.

`((sourcetype="Application" Type = "A" AND WorkTime > 0) AND Project="ABC ) OR ((sourcetype="Application" Type = "B" AND WorkTime > 0) AND Project="ABC)"

The boolean logic can be simplified down to just

sourcetype="Application" WorkTime > 0 Project="ABC" (Type="A" OR Type="B")

And AND is always redundant in the search clause so we can remove those without changing the meaning.

From here, what you're doing with the multivalued fields is a little strange but my guess is you're using this trick to get the raw values on the chart instead of aggregated statistics of those values.

At any rate, if you're willing to pick a stat, you can see the Type="A" as one line and the Type="B" as another just with:

sourcetype="Application" WorkTime > 0 Project="ABC" (Type="A" OR Type="B") | timechart max(WorkTime) over Type

Granted... you have to pick some kind of aggregation - like max, min, avg, 95th percentile, etc... Sometimes this seems distasteful but the aggregation is really your friend in many ways once you trust it. And often people want to graph "the raw values" even when they have nowhere near enough pixels on their monitor to see the difference anyway.

lain179
Communicator

oh that looks much better. Thanks!

0 Karma

sideview
SplunkTrust
SplunkTrust

It feels like you're getting full information if you graph all the values, but you're still throwing away some information - in that one point graphed once will seem to have the same weight as another point graphed 10000 times.

Nonetheless, a WAY easier way than your crazy append is to do the following:

| rename _time as time | stats count as getsThrownAway by time WorkTime Type | xyseries time Type WorkTime | rename time as _time

I renamed _time to time just so that you can take the search apart pipe by pipe to see how it works without _time disappearing on you.

0 Karma

lain179
Communicator

I would like all WorkTime values of each Type over time...not just max/min/avg over a certain time span using timechart. How can I do that?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...