I am very new to Splunk
I need to create a stacked bar/area chart where I have two separate searches. I'd like to show the small areas on top of the bigger area. Tried to use `sort` function but it did not work.
The search function that I use is something like this:
source="/xx/*.csv" Field1<500 Field2 Field3="*" |timechart span=30m count(Field1) AS Latency_lower_than_500ms |appendcols [search source="/xx/*.csv" Field1<500 Field2 Field3="*" |timechart span=30m count(Field1) AS Latency_greater_than_500ms] |sort -Field1
This always shows the bigger area (latency lower than 500ms) on the top but i want it on the 1st stack so that the small one is stacked on top of the bigger one.
Appreciate any suggestions and help.
Thank you!
↧