topic Re: overlay chart in Splunk Search

overlay chart

maniishpawar — Wed, 24 May 2017 20:24:08 GMT

how to create a single chart with two values.
one showing sum of requests in span=5m window
and other showing request processed by each server in that 5m window.

Re: overlay chart

cmerriman — Wed, 24 May 2017 20:27:25 GMT

do you have some of the syntax that you're working with?

...|timechart limit=0 span=5m sum(requests) sum(requestProcessed) by server

you can go into the format section and click on 'chart overlay' and select the field you'd like to overlay, if you want, otherwise they'll both be on the same axis. either way, this might work, depending on the fieldnames.

Re: overlay chart

maniishpawar — Tue, 29 Sep 2020 14:11:51 GMT

index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | timechart avg(_tcount1) count by host

Re: overlay chart

cmerriman — Wed, 24 May 2017 20:40:23 GMT

try this:

index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | chart limit=0 max(_tcount1) count by _time host

Re: overlay chart

maniishpawar — Thu, 25 May 2017 13:35:21 GMT

this didnt gave the correct results.
Here is the requirement
for a given instant of time , say 9;00 to 9:05 get a total count of request received across all host ( 30000)
then for the same 9:00 to 9:05 window, i want to show how much requests each host served , say 6 hosts each serving 5000

so the graph should show me line graph for each host req count and
bar group for total count of 9:00-9:05 window

Re: overlay chart

cmerriman — Thu, 25 May 2017 13:45:20 GMT

what is my syntax showing you after you format it as a chart overlay and change one to bar and one to line? can you show me? I think i understand what you're wanting, but i'm just not sure what's wrong. The eventstats should give a total count for all events every 5 minutes and then the chart command would show the value (max) of that on the 5 minute interval and also count the events by host and 5 minute interval.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/Chartcontrols#Chart_overlay_example_.28dual_axis.29

Re: overlay chart

maniishpawar — Thu, 25 May 2017 14:51:26 GMT

the issue is the max is also grouped by host when displayed in charthttps://goo.gl/p8a5Wd

Re: overlay chart

maniishpawar — Thu, 25 May 2017 14:53:46 GMT

https://goo.gl/JGoMiD

Re: overlay chart

cmerriman — Thu, 25 May 2017 15:04:53 GMT

try adding:

...|foreach max* [eval tcount1='<<FIELD>>']|fields - max*

Re: overlay chart

maniishpawar — Thu, 25 May 2017 15:17:35 GMT

great this works just perfect.
Can you please help me understand foreach max* [eval tcount1='<>']|fields - max*.

specifically [eval tcount1='<>']|fields - max*
so far I can infer that for all the fields that start with max* its evaluating tcount1.
but how is it getting only one value of tcount1.

Re: overlay chart

cmerriman — Thu, 25 May 2017 15:21:53 GMT

foreach takes all fields specified (in this case all fields beginning with max) and can do evaluations on them. so we're evaluating a new field called tcount1 and grabbing the values of the fields we call in the foreach statement. Since they're the same value for every time increment, i wasn't concerned about adding them together, so all we need is to call it once. if we needed to add them together, we might use MATCHSTR

http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Foreach#Syntax

Re: overlay chart

maniishpawar — Thu, 25 May 2017 15:56:26 GMT

Thank you for the explanation.