Solved: Re: How to overlap two bars in a Splunk chart?

luna23 · ‎07-19-2016

I have this search that counts the times a product has been purchased and the times the same product has been purchased with some other product, in this case product m.
I want to overlap the TotalEvents upon the TotalMatchs, but the option of stacked bars is just adding up the 2 fields.

Can someone help me please?

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos]|table Productos  TotalMatch TotalEvents

DMohn · ‎07-21-2016

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents

View solution in original post

DMohn · ‎07-21-2016

If you really need to use bar charts, you could try to "cheat" by substracting the field TotalMatch from TotalEvents, and then stacking the fields. In this case you would see correct graphics, but your table results are wrong.

Just for the visualisation it can be a usable method still...

index=main sourcetype=csv source="reglas2.csv" Productos!=m [ search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | fields Productos ] | stats count as TotalEvents by Productos | appendcols [search index=main sourcetype=csv source="reglas2.csv" Productos!=m [search index=main sourcetype=csv source="reglas2.csv" Productos=m | fields Id_Transaccion] | stats count as TotalMatch by Productos] | eval TotalEvents = TotalEvents - TotalMatch |table Productos  TotalMatch TotalEvents

luna23 · ‎07-21-2016

Thanks DMohn,as you said it, the calculations will be wrong, although the chart will look good.
But what i am trying to do here is a market basket analisys, so i need to show the correct times a product has been purchased (TotalEvents) and the times a product has been purchased with other product (TotalMatch)

DMohn · ‎07-21-2016

Where shall these numbers be used? Is there a chance to include a table and a visualisation?

In this case you can introduce a temporary field like eval DisplayTotalEvents = TotalEvents - TotalMatch for the bar chart, and use the correct total fields for the table...

luna23 · ‎07-21-2016

It could be an option, Thanks

sundareshr · ‎07-19-2016

Try area chart?

luna23 · ‎07-21-2016

I already tried the area chart and it does overlap, but i want the same result in a bar chart

How to overlap two bars in a Splunk chart?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?