Yes, in a classic dashboard column chart, the fields will be stacked top-down based on their table order, left-to-right, so work_hours is stacked on top of slack_hours to give the effect of a vertical offset from 0. If we want to use a classic trellis layout to split by employee ID as shown below, we'll need to cheat by giving fields names that can be lexicographically sorted in our preferred order. To generate eventNN fields from event data, we can count events with streamstats and generate a field name from the count. The exact numbering and ordering of the eventNN field doesn't matter; the fields just need to be unique: | streamstats count
| eval event{count}=value Let's normalize and extend the sample data in your chart by employee_id and separate work schedules from events, where date is an epoch date and start_time and end_time are epoch date and times in a schedule lookup named intidev_work_schedules.csv: employee_id,date,start_time,end_time
123,1709510400,1709560800,1709596800
123,1709683200,1709683200,1709722800
123,1709769600,1709802000,1709841600
123,1709856000,1709888400,1709928000
123,1710028800,1710061200,1710100800
456,1709596800,1709625600,1709658000
456,1709683200,1709712000,1709744400
456,1709769600,1709798400,1709830800
456,1709856000,1709884800,1709917200
456,1709942400,1709971200,1710003600 and _time is an epoch date and time in event data with varying employee_id values: | makeresults format=csv data="_time,employee_id,message
1709593200,123,Lorem ipsum
1709672400,123,dolor sit amet
1709676000,456,onsectetur adipiscing elit
1709679600,123,sed do eiusmod
1709694000,456,tempor incididunt
1709722800,123,ut labore et dolore
1709816400,123,Ut enim ad minim veniam
1709823600,456,quis nostrud exercitation
1709906400,123,ullamco laboris nisi
1709910000,456,ut aliquip ex ea
1709913600,123,commodo consequat
1710086400,123,Duis aute irure
1710090000,456,dolor in reprehenderit"
| streamstats count
| eval date=86400*floor(_time/86400), event{count}=(_time-date)/3600
| lookup intidev_work_schedules.csv employee_id date
| inputlookup append=t intidev_work_schedules.csv
| eval slack_hours=(start_time-date)/3600, work_hours=(end_time-start_time)/3600, _time=coalesce(_time, start_time)
| chart values(work_hours) as "00_work_hours" values(slack_hours) as "01_slack_hours" values(event*) as "02_event*" over _time span=1d by employee_id Work schedules could be imported from an ERP, WFM, or related system. Event data can come from any source, e.g. badge scanners, call managers, Windows security event logs, etc. Visualized in a classic dashboard: <dashboard version="1.1" theme="light">
<label>intidev_trellis_schedule</label>
<search id="base">
<query>| makeresults format=csv data="_time,employee_id,message
1709593200,123,Lorem ipsum
1709672400,123,dolor sit amet
1709676000,456,onsectetur adipiscing elit
1709679600,123,sed do eiusmod
1709694000,456,tempor incididunt
1709722800,123,ut labore et dolore
1709816400,123,Ut enim ad minim veniam
1709823600,456,quis nostrud exercitation
1709906400,123,ullamco laboris nisi
1709910000,456,ut aliquip ex ea
1709913600,123,commodo consequat
1710086400,123,Duis aute irure
1710090000,456,dolor in reprehenderit"
| streamstats count
| eval date=86400*floor(_time/86400), event{count}=(_time-date)/3600
| lookup intidev_work_schedules.csv employee_id date
| inputlookup append=t intidev_work_schedules.csv
| eval slack_hours=(start_time-date)/3600, work_hours=(end_time-start_time)/3600, _time=coalesce(_time, start_time)
| chart values(work_hours) as "00_work_hours" values(slack_hours) as "01_slack_hours" values(event*) as "02_event*" over _time span=1d by employee_id</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<search base="base">
<query>| fieldsummary
| fields field
| search field=02_*
| rex field=field "(?<field>[^:]+)"
| mvcombine field
| eval field=mvjoin(field, ",")
</query>
<done>
<set token="overlayFields">$result.field$</set>
</done>
</search>
<row>
<panel>
<html>
<style>
#columnChart1 .highcharts-series.highcharts-series-1.highcharts-column-series {
opacity: 0 !important;
}
</style>
</html>
<chart id="columnChart1">
<search base="base"/>
<option name="charting.axisLabelsY.majorTickVisibility">show</option>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisLabelsY.minorTickVisibility">hide</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Hour</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.includeZero">1</option>
<option name="charting.axisY.maximumNumber">24</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">$overlayFields$</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"00_work_hours": 0xc6e0b4}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.placement">none</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">employee_id</option>
</chart>
</panel>
</row>
</dashboard> I've used a post-process search and event handler to define a token named $overlayFields$ that will dynamically set the charting.chart.overlayFields option. Note that I haven't correctly handled schedules that cross day boundaries. @Richfez's timeline example handles this nicely, but when using a column chart, you'll need to calculate boundaries and new events in SPL using e.g. eval and mvexpand. I don't use Dashboard Studio as often as I use Simple XML. Trellis mode and inline CSS overrides have limited or no support in Dashboard Studio, and feature parity between Splunk Cloud and Splunk Enterprise varies.
... View more