https://community.splunk.com/t5/Splunk-Search/timechart-with-multiple-series/m-p/675696#M231154 <P>Hi,&nbsp;</P><P>Im trying to create a dashboard that easily presents api endpoint performance metrics&nbsp;<BR /><BR />I am generating a summary index using the following search</P><P>&nbsp;</P><LI-CODE lang="markup">index=my_index app_name="my_app" sourcetype="aws:ecs" "line.logger"=USAGE_LOG | fields _time line.uri_path line.execution_time line.status line.clientId ``` use a regex to figure out the endpoint from the uri path``` | lookup endpoint_regex_lookup matchstring as line.uri_path OUTPUT app endpoint match | rename line.status as http_status, line.clientId as client_id | fillnull value="" http_status client_id | bin _time span=1m | sistats count as volume p50(line.execution_time) as P50 p90(line.execution_time) as P90 p95(line.execution_time) as P95 p99(line.execution_time) as P99 by _time app endpoint http_status client_id</LI-CODE><P>&nbsp;</P><P><BR />and i can use searches like this&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | timechart $t_span$ p50(line.execution_time) as P50 p90(line.execution_time) as P90 p95(line.execution_time) as P95 p99(line.execution_time) as P99 by endpoint | sort endpoint --- index=summary source=summary-my_app | timechart span=1m count by endpoint</LI-CODE><P>&nbsp;</P><P><SPAN>so i can generate a dashboard using a trellis layout that maps the performance of our endpoints without having to hard-code a bunch of panels.</SPAN></P><P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-01-29 at 11.25.29.png" style="width: 960px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29109i144294B939C1D431/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-01-29 at 11.25.29.png" alt="Screenshot 2024-01-29 at 11.25.29.png" /></span></P><P><SPAN>im trying to add a chart that displays the http_status counts over time for each endpoint (similar to the latency chart)</SPAN><SPAN>.</SPAN></P><DIV><DIV><SPAN><SPAN>Ive tried a number of different things, but cant get it work.<BR /><BR />i know i cant use the following:&nbsp;<BR /><BR /></SPAN></SPAN></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | timechart count by endpoint http_status</LI-CODE><P>&nbsp;</P><P><SPAN><SPAN>so thought the following might work:<BR /></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | stats count by endpoint http_status _time</LI-CODE><P>&nbsp;</P><P><SPAN><BR />but this shows me the http_status counts on a single line rather than as seperate series.<BR /></SPAN></P><DIV><SPAN>Does anyone know how i could get this work?</SPAN></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV> Mon, 29 Jan 2024 03:20:22 GMT clamarkv 2024-01-29T03:20:22Z https://community.splunk.com/t5/Splunk-Search/timechart-with-multiple-series/m-p/675696#M231154 <P>Hi,&nbsp;</P><P>Im trying to create a dashboard that easily presents api endpoint performance metrics&nbsp;<BR /><BR />I am generating a summary index using the following search</P><P>&nbsp;</P><LI-CODE lang="markup">index=my_index app_name="my_app" sourcetype="aws:ecs" "line.logger"=USAGE_LOG | fields _time line.uri_path line.execution_time line.status line.clientId ``` use a regex to figure out the endpoint from the uri path``` | lookup endpoint_regex_lookup matchstring as line.uri_path OUTPUT app endpoint match | rename line.status as http_status, line.clientId as client_id | fillnull value="" http_status client_id | bin _time span=1m | sistats count as volume p50(line.execution_time) as P50 p90(line.execution_time) as P90 p95(line.execution_time) as P95 p99(line.execution_time) as P99 by _time app endpoint http_status client_id</LI-CODE><P>&nbsp;</P><P><BR />and i can use searches like this&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | timechart $t_span$ p50(line.execution_time) as P50 p90(line.execution_time) as P90 p95(line.execution_time) as P95 p99(line.execution_time) as P99 by endpoint | sort endpoint --- index=summary source=summary-my_app | timechart span=1m count by endpoint</LI-CODE><P>&nbsp;</P><P><SPAN>so i can generate a dashboard using a trellis layout that maps the performance of our endpoints without having to hard-code a bunch of panels.</SPAN></P><P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-01-29 at 11.25.29.png" style="width: 960px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29109i144294B939C1D431/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-01-29 at 11.25.29.png" alt="Screenshot 2024-01-29 at 11.25.29.png" /></span></P><P><SPAN>im trying to add a chart that displays the http_status counts over time for each endpoint (similar to the latency chart)</SPAN><SPAN>.</SPAN></P><DIV><DIV><SPAN><SPAN>Ive tried a number of different things, but cant get it work.<BR /><BR />i know i cant use the following:&nbsp;<BR /><BR /></SPAN></SPAN></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | timechart count by endpoint http_status</LI-CODE><P>&nbsp;</P><P><SPAN><SPAN>so thought the following might work:<BR /></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">index=summary source=summary-my_app | stats count by endpoint http_status _time</LI-CODE><P>&nbsp;</P><P><SPAN><BR />but this shows me the http_status counts on a single line rather than as seperate series.<BR /></SPAN></P><DIV><SPAN>Does anyone know how i could get this work?</SPAN></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV> Mon, 29 Jan 2024 03:20:22 GMT https://community.splunk.com/t5/Splunk-Search/timechart-with-multiple-series/m-p/675696#M231154 clamarkv 2024-01-29T03:20:22Z https://community.splunk.com/t5/Splunk-Search/timechart-with-multiple-series/m-p/675702#M231156 <P>I'm not entirely sure if I understand what you're asking for, but it sounds like this might be resolved by defining more fields? eg:</P><P>| eval status_{http_status}=http_status<BR />| timechart count(status_*) as * by endpoint</P><P>Would that do the trick?&nbsp;</P> Mon, 29 Jan 2024 06:21:27 GMT https://community.splunk.com/t5/Splunk-Search/timechart-with-multiple-series/m-p/675702#M231156 shonias 2024-01-29T06:21:27Z