How to create a line chart with multiple series?

Iris_Pi — Thu, 19 Sep 2024 02:12:21 GMT

Hello everyone,

I have collected some firewall traffic data: two firewalls(fw1/fw2), each has two interfaces(ethernet1/1&2), will collect rxbytes and txbytes every 5 minutes.

The raw data is showed as below:
>>>
{"timestamp": 1726668551, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59947791867743, "txbytes": 37019023811192}
{"timestamp": 1726668551, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63755935850903, "txbytes": 32252936430552}
{"timestamp": 1726668551, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668551, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668851, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59948210937804, "txbytes": 37019791801583}
{"timestamp": 1726668851, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63755965708078, "txbytes": 32253021060643}
{"timestamp": 1726668851, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668851, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669151, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59948636904106, "txbytes": 37020560028933}
{"timestamp": 1726669151, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756002542165, "txbytes": 32253111011234}
{"timestamp": 1726669151, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669151, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669451, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949094737896, "txbytes": 37021330717977}
{"timestamp": 1726669451, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756101313559, "txbytes": 32253199085252}
{"timestamp": 1726669451, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669451, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669752, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949550987330, "txbytes": 37022105630147}
{"timestamp": 1726669752, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756167141302, "txbytes": 32253286546113}
{"timestamp": 1726669752, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669752, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726670052, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949968397016, "txbytes": 37022870539739}
{"timestamp": 1726670052, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756401499253, "txbytes": 32253380028970}
{"timestamp": 1726670052, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726670052, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
<<<

Now I need to create one chart to show the value of "rxbytes" over time, with 4 series:
(series 1) fw1, interface1/1
(series 2) fw1, interface1/2
(series 3) fw2, interface1/1
(series 4) fw2, interface1/2

But I have problem to compose the SPL statement for this purpose. can you please help here? thank you in advance!

Re: How to create a line chart with multiple series?

gcusello — Thu, 19 Sep 2024 06:40:31 GMT

Hi @Iris_Pi ,

supponing that the _time of your events is the Timestamp field, you have two solutions:

1) using stats (supponing a span of 1 hour):

<your_search> | bin span=1h _time | stats sum(rxbytes) AS rxbytes BY fwname interface

2) using timechart (supponing a span of 1 hour):

<your_search> | eval col=fwname.", "interface | timechart span=1h sum(rxbytes) AS rxbytes BY col

I prefer the first one.

Ciao.

Giuseppe

Re: How to create a line chart with multiple series?

Iris_Pi — Thu, 19 Sep 2024 07:06:52 GMT

Thanks Giuseppe for your advice.

The second one works.

The first one somehow only returns 4 lines of results.

Re: How to create a line chart with multiple series?

gcusello — Thu, 19 Sep 2024 07:25:29 GMT

Hi @Iris_Pi ,

the first solution requires that you always have both fwname and interface fields.

Ciao.

Giuseppe

topic Re: How to create a line chart with multiple series? in Dashboards & Visualizations

How to create a line chart with multiple series?

Re: How to create a line chart with multiple series?

Re: How to create a line chart with multiple series?

Re: How to create a line chart with multiple series?