topic Re: Trellis multi value by date in Splunk Search

Trellis multi value by date

indeed_2000 — Wed, 15 Apr 2020 09:13:32 GMT

Hi
I want to create chart that compare single values daily.
for example want to compare (about 30 different product codes) that exist in my log (today vs yesterday), and visualize it with Trellis where as show compare each code on separate chart (for today and yesterday)

expected chart (separate by product code=100 and product code=200 😞

I write SPL like this:

index="myindex"  | timechart count by code span=1h | timewrap d

but it combine them and show count of all product code in same chart and separate it by date!
any recommendation?

Thanks

Re: Trellis multi value by date

niketn — Wed, 30 Sep 2020 05:01:24 GMT

@indeed_2000 try making use of Splunk's internal fields date_mday and date_hour. Following is a run anywhere example based on Splunk's _internal index.

index=_internal sourcetype=splunkd earliest=-1d@d latest=now component IN ("UIAuth","WatchedFile","Metrics","PeriodicHealthReporter","LMStackManager")
| eval date_hour=printf("%02d",date_hour)
| stats count by date_hour date_mday component
| eval date_mday=if(date_mday!=strftime(now(),"%Y/%m/%d"),"Yesterday","Today")

In your case try the following and confirm!

  index="myindex"
| eval date_hour=printf("%02d",date_hour)
| stats count by date_hour date_mday code
| eval date_mday=if(date_mday!=strftime(now(),"%Y/%m/%d"),"Yesterday","Today")

Re: Trellis multi value by date

indeed_2000 — Wed, 15 Apr 2020 21:18:09 GMT

i try both, but neither of them create chart like what i describe in post.
need overlay chart for compare yesterday and today for each code in Trellis.

Re: Trellis multi value by date

to4kawa — Wed, 15 Apr 2020 23:12:53 GMT

![alt text][1]

Re: Trellis multi value by date

to4kawa — Wed, 15 Apr 2020 23:12:54 GMT

![alt text][1]

Re: Trellis multi value by date

to4kawa — Wed, 15 Apr 2020 23:12:55 GMT

![edited]

Re: Trellis multi value by date

indeed_2000 — Wed, 15 Apr 2020 23:12:56 GMT

it create several empty chart and separate them each 30 minutes!

Re: Trellis multi value by date

to4kawa — Wed, 15 Apr 2020 23:12:57 GMT

default Splunk can't display Trellis what you want.
make dashboard , use base search and display two chart.

Re: Trellis multi value by date

indeed_2000 — Wed, 15 Apr 2020 23:12:58 GMT

two chart? as I mention about 30 product codes, means 30 chart and might be increase depend on data that's why i use Tellis.

Re: Trellis multi value by date

indeed_2000 — Thu, 16 Apr 2020 07:56:16 GMT

as I mention overlay chart not separate chart for today and yesterday, need to both of them in single chart for each code.

Re: Trellis multi value by date

indeed_2000 — Thu, 16 Apr 2020 08:04:27 GMT

yes it's not difficult but I want to use it for other fields too that some of them might be increase up to 100 different items!

like this: product code=30, product id=100, product tag=80, and so on ...

I need to find a way splunk automatically create this chart because when new field add automatically add to this dashboard

Re: Trellis multi value by date

to4kawa — Thu, 16 Apr 2020 09:05:01 GMT

Do you want to look a hundred items?

see @rich7177 answer
https://answers.splunk.com/answers/529004/is-there-a-way-to-display-more-than-20-charts-at-a.html
and try another way.

Re: Trellis multi value by date

indeed_2000 — Thu, 16 Apr 2020 09:32:45 GMT

Actually my problem is this how can i generate them automatically not limitation number of chart on a single page!

Let me declare Imagine i have 10 chart, now problem is how can i create them automatically without create manually!

Re: Trellis multi value by date

to4kawa — Thu, 16 Apr 2020 09:34:48 GMT

I see , I'm sorry to waste your time.

Re: Trellis multi value by date

indeed_2000 — Thu, 16 Apr 2020 10:25:03 GMT

No no I don’t mean you waste my time 🙂
BTW thank you for your answer.