I want to show an area graph with an average line trough it. This is the search I'm using:
eventtype=windows_performance object=Process | timechart span=5m count as Alerts | appendcols [search eventtype=windows_performance object=Process | stats count as average | eval average=average/48] | eventstats first(average) as test | fields - average
What is does it create a timechart for the last 4 hours, then I search for the total number and divide it to match the timechart span (4hours = 240minutes, 240m/5m = 48)
This graph is almost showing what I want, but for the second series I want a line, not area.
Any ideas on how to to achieve this?
I have tried this sollution, but it shows colums for all series. Even a direct copy of the answer shows colums for every series. I'm using 6.0, could this be for an older version of Splunk? http://answers.splunk.com/answers/89399/add-a-line-overlay-to-a-column-chart
Here is the current XML for it:
<dashboard>
<label>testtest</label>
<description/>
<label>sample overlay simple xml</label>
<row>
<chart>
<title>testgraph</title>
<searchString>eventtype=windows_performance object=Process | timechart span=5m count as Alerts | appendcols [search eventtype=windows_performance object=Process | stats count as average | eval average=average/48] | eventstats first(average) as test | fields - average</searchString>
<earliestTime>-4h@m</earliestTime>
<latestTime>now</latestTime>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</row>
</dashboard>