topic Re: Graphing multiple data sources in one chart in Splunk Search

Graphing multiple data sources in one chart

Branden — Thu, 23 Sep 2010 03:52:21 GMT

I found some similar questions on here, but not quite what I'm trying to do.

We have web access logs from several three different web servers (same host, though). I'd like to graph the number of unique hits from each web server on the same graph in a dashboard.

For example, one search is like this:

<searchString>host="xyz" sourcetype="*access*" source="*foo.access*" | timechart dc(remote_host)</searchString>

Another search/graph is like this:

<searchString>host="xyz" sourcetype="*access*" source="*bar.access*" | timechart dc(remote_host)</searchString>

I'd like both of these results to appear on the same graph. How can I do this?

Thanks!

Re: Graphing multiple data sources in one chart

southeringtonp — Thu, 23 Sep 2010 03:57:56 GMT

It sounds like you want:

sourcetype="*access*" | timechart dc(remote_host) by host

(wrapping <searchString> tags removed for clarity)

Re: Graphing multiple data sources in one chart

gkanapathy — Thu, 23 Sep 2010 06:21:05 GMT

Probably

... | timechart dc(remote_host) by source

... | rex field=source "(?<s>[A-Za-z]+)\.access\b" | timechart dc(remote_host) by s

Re: Graphing multiple data sources in one chart

sideview — Thu, 23 Sep 2010 13:25:53 GMT

You can simply OR them together, and then use the searchmatch function of eval to give yourself a field that indicates whether this is a source containing 'foo' or a source containing 'bar'.

(Im assuming there are a lot of difference sources matching the foo.access. condition, as well as a lot of sources matching the bar.access. condition.)

This should work:

host="xyz" sourcetype="*access*" ( source="*foo.access*" OR source="*bar.access*" ) | eval type=if(searchmatch(source="*foo.access.*"),"foo","bar") | timechart dc(remote_host) by type

NOTE: this is very similar to this other answer here: http://answers.splunk.com/questions/5423/comparing-values-returned-by-two-separate-searches/5439#5439

Re: Graphing multiple data sources in one chart

Branden — Thu, 23 Sep 2010 20:19:21 GMT

Thank you for the reply. The "by source" solution works, but the path is too long for it to show the entire source file.
I can't get the "rex field=source" solution to work. Every time I ever try to use a rex in an XML file, I get a "mismatched tag" error. Not sure how to get around that.

Re: Graphing multiple data sources in one chart

Branden — Thu, 23 Sep 2010 20:20:26 GMT

Thank you for the reply. I think "by host" should be "by source", no? That works but, as I said in my comment below, the path to the source file is too long so it gets abbreviated, making it impossible to tell which source is which on the graph...

Re: Graphing multiple data sources in one chart

southeringtonp — Thu, 23 Sep 2010 23:02:20 GMT

Yes - my apologies, I read too quickly and missed where you said they were all on the same host. See below - the rex approach gkanapathy suggests is likely your best one.

Re: Graphing multiple data sources in one chart

southeringtonp — Thu, 23 Sep 2010 23:04:02 GMT

If you have angle brackets in the regex you need to either escape them, or preferably wrap them in a CDATA block. This link has an example of what CDATA looks like: http://www.quackit.com/xml/tutorial/xml_cdata.cfm

Re: Graphing multiple data sources in one chart

Branden — Fri, 24 Sep 2010 00:33:17 GMT

Aaah. Worked! Thanks, both of you!

Re: Graphing multiple data sources in one chart

Branden — Fri, 24 Sep 2010 00:33:42 GMT

Thanks for the response!

Re: Graphing multiple data sources in one chart

coolsachin2390 — Fri, 22 Mar 2013 19:24:21 GMT

Hello,
Even m facing a same type of problem and by source works, but what if there are n no of distinct values in source and i want to plot graph for only 2 particular values..