Hi everyone. I have browsed around and found things which are kind of similar, but not quite what I'm looking for.
We are generating a column chart currently. What we need is the ability to draw a line across it at a set threshold, so we can very easily see when the columns exceed that threshold. Can someone provide some direction as to how this can best be accomplished? Preferably with simple XML if at all possible (if not, I'll switch over, but I greatly prefer simplified over advanced due to clarity).
I ended up switching over to advanced XML for this. Here is the XML:
Please read this article to get through the basic steps in the advanced XML. In essense, you need enough data points for the column and line points to paint on the same Y axis.
As for the simple XML, here is an example:
Purpose: Draw activity level by top 3 sourcetypes (stacked columns) and display sum of KBPS (line). Here is a search for that:
index=_internal group="per_sourcetype_thruput" earliest=24h@h
| timechart count by series limit=3
| appendcols [search index=_internal group="per_sourcetype_thruput" | timechart sum(kbps) AS KBThroughput]
| fields - OTHER
Here is Simple XML to draw the items in the order expected. Please pay close attention to the ordering of your own data in terms of columns. In this case we are using a timechart so column 0 is time, column 1 is KBThroughput and columns 2-to-4 are the aggregate sourcetype counts. In other words, you might end up with a tabular data set like so... You end up with five (5) columns and you need to choose the elements which represent your data visualization.
time KBThroughput access_combined splunkd websphere_trlog
2013-05-27T15:00:00.000+0000 87.409021 58 58 31
2013-05-27T15:30:00.000+0000 86.310125 58 58 32
...
The relationship in the data display are 0:1 as x:y for the KBThroughput and 0:2,3,4 for the x:y1,y2,y3 for the aggregate columns which represent the count of messages by sourcetype.
Finally, here is the sample XML.
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>sample overlay simple xml</label>
<row>
<chart>
<searchName>sample overlay</searchName>
<title>sample overlay</title>
<option name="charting.axisTitleX.text">Last 24 Hours</option>
<option name="charting.primaryAxisTitle.text">Activity</option>
<option name="charting.data0">results</option>
<option name="charting.data0.jobID">@data.jobID</option>
<option name="charting.data1">view</option>
<option name="charting.data1.table">@data0</option>
<option name="charting.data1.columns">[0,2,3,4]</option>
<option name="charting.chart1.data">@data1</option>
<option name="charting.chart1">column</option>
<option name="charting.chart1.nullValueMode">gaps</option>
<option name="charting.chart1.stackMode">stacked</option>
<option name="charting.chart1.columnAlignment">0.5</option>
<option name="charting.data2">view</option>
<option name="charting.data2.table">@data0</option>
<option name="charting.data2.columns">[0,1]</option>
<option name="charting.chart2">line</option>
<option name="charting.chart2.data">@data2</option>
<option name="charting.chart2.showMarkers">true</option>
<option name="charting.chart2.markerSize">5</option>
<option name="charting.layout.charts">[@chart1,@chart2]</option>
<option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY]</option>
</chart>
</row>
</dashboard>
I hope this helps.
Please read this article to get through the basic steps in the advanced XML. In essense, you need enough data points for the column and line points to paint on the same Y axis.
As for the simple XML, here is an example:
Purpose: Draw activity level by top 3 sourcetypes (stacked columns) and display sum of KBPS (line). Here is a search for that:
index=_internal group="per_sourcetype_thruput" earliest=24h@h
| timechart count by series limit=3
| appendcols [search index=_internal group="per_sourcetype_thruput" | timechart sum(kbps) AS KBThroughput]
| fields - OTHER
Here is Simple XML to draw the items in the order expected. Please pay close attention to the ordering of your own data in terms of columns. In this case we are using a timechart so column 0 is time, column 1 is KBThroughput and columns 2-to-4 are the aggregate sourcetype counts. In other words, you might end up with a tabular data set like so... You end up with five (5) columns and you need to choose the elements which represent your data visualization.
time KBThroughput access_combined splunkd websphere_trlog
2013-05-27T15:00:00.000+0000 87.409021 58 58 31
2013-05-27T15:30:00.000+0000 86.310125 58 58 32
...
The relationship in the data display are 0:1 as x:y for the KBThroughput and 0:2,3,4 for the x:y1,y2,y3 for the aggregate columns which represent the count of messages by sourcetype.
Finally, here is the sample XML.
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>sample overlay simple xml</label>
<row>
<chart>
<searchName>sample overlay</searchName>
<title>sample overlay</title>
<option name="charting.axisTitleX.text">Last 24 Hours</option>
<option name="charting.primaryAxisTitle.text">Activity</option>
<option name="charting.data0">results</option>
<option name="charting.data0.jobID">@data.jobID</option>
<option name="charting.data1">view</option>
<option name="charting.data1.table">@data0</option>
<option name="charting.data1.columns">[0,2,3,4]</option>
<option name="charting.chart1.data">@data1</option>
<option name="charting.chart1">column</option>
<option name="charting.chart1.nullValueMode">gaps</option>
<option name="charting.chart1.stackMode">stacked</option>
<option name="charting.chart1.columnAlignment">0.5</option>
<option name="charting.data2">view</option>
<option name="charting.data2.table">@data0</option>
<option name="charting.data2.columns">[0,1]</option>
<option name="charting.chart2">line</option>
<option name="charting.chart2.data">@data2</option>
<option name="charting.chart2.showMarkers">true</option>
<option name="charting.chart2.markerSize">5</option>
<option name="charting.layout.charts">[@chart1,@chart2]</option>
<option name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY]</option>
</chart>
</row>
</dashboard>
I hope this helps.
Is it possible to achieve this overlay but with different scales for the line vs the columns? My values for the column chart is less than 100, however, the line chart will be over 100,000.
Yes, look at this example:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/Chartcontrols#Chart_overlay_example_.28dual...
This is documented as a migration issue in moving from Splunk 5 to Splunk 6. In Splunk 6, simple XML uses JavaScript, not Flash. The technique used here requires Flash.
That's almost perfect! I got rid of the marker size and showmarker options (it's a threshold line and they looked a bit weird). The only thing left is to get splunk to somehow draw the line the whole way across which I'm not sure is possible (atm it draws to the middle of each column). Either way, this is more than close enough to work 🙂 Thank you for your help!
Glad the simple XML works for you. You are are almost there. The markers for the line are, be default, aligned to the left. You cannot realign the line markers but you can set the position for the column. See updated example to reflect that.
Also, I attempted with the simple XML and it almost works except the line is not drawn across the final column, so it only appears to cross the first 23 columns. I have verified that the table columns don't include any missing data, so I'm not sure what's going on.
I appreciate your help, but still am not having luck. The chart is still being generated as a column chart, with two columns for every timespan (one for the count, one for the threshold). The column is supposed to be used for the count, and the threshold as mentioned is supposed to be the line. I must be missing something here... I added the xml above
Sorry. I missed that point. An overlay in simple XML is possible. I am ammending my answer with an example.
So, is there no way to do do this without using advanced XML?