topic Re: How to show to line chart for failureCount, warningCounttimechart by time? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598606#M208436 <P>Thanks, it works, However I am doing like below</P><P>&lt;search id="pubsubLatencyHighAckDelayDFBaseSearch"&gt;<BR />&lt;query&gt;index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure")&nbsp; &lt;/query&gt;<BR />&lt;earliest&gt;$time.earliest$&lt;/earliest&gt;</P><P>Now I want to append a line in below&nbsp;&lt;row&gt;<BR />&lt;panel&gt;<BR />&lt;title&gt;STATS : SLI/SLO Dashboard count&lt;/title&gt;<BR />&lt;table&gt;<BR />&lt;search base="pubsubLatencyHighAckDelayDFBaseSearch"&gt;&lt;/search&gt;<BR /><BR />&lt;/table&gt;<BR />&lt;/panel&gt;<BR />&lt;/row&gt;<BR />&lt;latest&gt;$time.latest$&lt;/latest&gt;<BR />&lt;sampleRatio&gt;1&lt;/sampleRatio&gt;<BR />&lt;/search&gt;</P><P>How can we append line in&nbsp;&lt;search base="pubsubLatencyHighAckDelayDFBaseSearch"&gt;&lt;/search&gt;?</P> Fri, 20 May 2022 05:15:03 GMT dezmadi 2022-05-20T05:15:03Z How to show to line chart for failureCount, warningCounttimechart by time? https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598416#M208378 <P>Hi,</P> <P>&nbsp;</P> <P>I am using below query in my Dashboard</P> <P>index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart</P> <P>I want to show to line chart for&nbsp;failureCount,&nbsp;warningCounttimechart by time, I tried appending&nbsp; timechart span=1d count by failureCount, warningCounttimechart, but of no use</P> Thu, 19 May 2022 07:14:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598416#M208378 dezmadi 2022-05-19T07:14:36Z Re: Splunk multiple line chart date wise https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598420#M208380 <P>Try changing</P><LI-CODE lang="markup">| stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart</LI-CODE><P>to</P><LI-CODE lang="markup">| timechart count by error</LI-CODE> Thu, 19 May 2022 06:09:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598420#M208380 ITWhisperer 2022-05-19T06:09:46Z Re: How to show to line chart for failureCount, warningCounttimechart by time? https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598606#M208436 <P>Thanks, it works, However I am doing like below</P><P>&lt;search id="pubsubLatencyHighAckDelayDFBaseSearch"&gt;<BR />&lt;query&gt;index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure")&nbsp; &lt;/query&gt;<BR />&lt;earliest&gt;$time.earliest$&lt;/earliest&gt;</P><P>Now I want to append a line in below&nbsp;&lt;row&gt;<BR />&lt;panel&gt;<BR />&lt;title&gt;STATS : SLI/SLO Dashboard count&lt;/title&gt;<BR />&lt;table&gt;<BR />&lt;search base="pubsubLatencyHighAckDelayDFBaseSearch"&gt;&lt;/search&gt;<BR /><BR />&lt;/table&gt;<BR />&lt;/panel&gt;<BR />&lt;/row&gt;<BR />&lt;latest&gt;$time.latest$&lt;/latest&gt;<BR />&lt;sampleRatio&gt;1&lt;/sampleRatio&gt;<BR />&lt;/search&gt;</P><P>How can we append line in&nbsp;&lt;search base="pubsubLatencyHighAckDelayDFBaseSearch"&gt;&lt;/search&gt;?</P> Fri, 20 May 2022 05:15:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-to-line-chart-for-failureCount-warningCounttimechart/m-p/598606#M208436 dezmadi 2022-05-20T05:15:03Z