topic Re: Timechart Different Color Line in Splunk Search

Timechart Different Color Line

skoelpin — Fri, 15 May 2015 14:47:56 GMT

I have 7 web service calls which have varying response times. I have a timechart (LINE) ranging from 00:00 to 24:00, I would like to plot each web service call on that timechart but have a different color line for each web service call so I can compare them.

Is there an app I can use or is there a way to plot all 7 calls with a different color line at search time?

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:02:57 GMT

Please post the search you are using to produce your chart if you want more specific help than my answer below.

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:05:57 GMT

Most likely all you need to do is something like this:

your search to get events with each of your seven web calls like (webcallfield=1 OR webcallfield=2 OR ... webcallfield=7) | timechart count(webcallfield=1) AS ServiceCall1, count(webcallfield=2) AS ServiceCall2, count(webcallfield=3) AS ServiceCall3, count(webcallfield=4) AS ServiceCall4, count(webcallfield=5) AS ServiceCall5, count(webcallfield=6) AS ServiceCall6, count(webcallfield=7) AS ServiceCall7

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 15:13:45 GMT

I've included 8 calls and grouped them together using a GUID which is a unique identifier for the request and response. There will only be 2 of the same GUID's, one attached to the request and the other attached to the response so we're able to tie together the request and response. This provides a good timechart of the response times, but only gives ones line of the average response time across all calls. I need to split the calls up and let them have their own line.

index=unleashed RTG_Call="GetDeliverySchedule*" OR RTG_Call="GetProductAvailability*" OR RTG_Call="GetRelatedOrder*" OR RTG_Call="CreateOrder*" OR RTG_Call="MultiFindInShowroom*" OR RTG_Call="InqGeAuthorization*" OR RTG_Call="InqTdrsAuthorization*" OR RTG_Call="GetOrder*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) AS "Response Time"

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:32:43 GMT

Change your timechart to:

... | timechart avg(duration) AS "Response Time" by RTG_Call

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 15:38:08 GMT

This does work BUT RTG_Call accounts for both request and response. So I'm getting 2 identical lines for each call. So for 8 web service calls, I'm getting 16 lines. Any idea on how I can exclude the dups?

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:42:53 GMT

Try adding:

... | dedup RTG_Call

To the end.

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 15:43:27 GMT

I didn't see the first reply you posted. Can you please elaborate more on the (webcallfield=1 etc..?).. Currently, I have it set up like RTG_Call="<GetDeliverySchedule*"and now taking your suggestion, how should I format this? Would it be like this?

(RTG_Call="&lt;GetDeliverySchedule*") = 1 or (RTG_Call="&lt;GetProductAvailability*") = 2)

Re: Timechart Different Color Line

Raghav2384 — Fri, 15 May 2015 15:44:07 GMT

Not sure if this what you're looking for

Just add the following with color codes in simple xml some where in the chart stanza .

&lt;option name="charting.seriesColors"&gt;[0x4C0000,0xXXXXXX,...........,0xZZZZZZ]&lt;/option&gt;

That should assign color to each line but it's dynamic...can't say which metric gets which color.

Hope this helps!
Thanks,
Raghav

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 15:45:22 GMT

I added this and nothing is coming back

| timechart avg(duration) AS "Response Time" by RTG_Call | dedup RTG_call

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:45:53 GMT

This only works if there are multiple results on the chart, not a single line. In those cases, the colors ARE different. Your method can choose the color set used, but it has nothing to do with the search producing multiple results.

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:47:11 GMT

No, I didn't have your search string that produced your results, so it was an example of different web calls. Your search should work perfectly fine. To translate, where I was using an arbitrary name of webcallfield you used your real field name of RTG_Call.

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 15:48:26 GMT

Hrm. Perhaps place the dedup before timechart.

Re: Timechart Different Color Line

Raghav2384 — Fri, 15 May 2015 15:51:21 GMT

Agree....read the question incorrect. I thought he's looking standard colors to pick from....apologize for going tangents

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 15:53:01 GMT

I just tried this and it excluded all my data except for one line but kept the dupes in calls (request and response for each call). I think this will work if I get the example you posted above working. I currently have RTG_Call="<GetDeliverySchedule*"but how should I format this? You say I can set each call = 1,2 etc.. but this would mean that it has 2 equal signs in it which would mess it up. How should I format this?

Would it be like this?

... | timechart ((RTG_Call="&lt;GetDeliverySchedule*") =1 ) AS DeliverySchedule1

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 17:10:59 GMT

No, my example was a fictitious search to find fields that could be acted upon.

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 17:13:48 GMT

In your search, you have RTG_Call="GetDeliverySchedule*". Does that mean there are two values that match due to the * at the end? Is this why you have 16 items not 8?

Re: Timechart Different Color Line

skoelpin — Mon, 28 Sep 2020 19:58:40 GMT

Yes correct, when I did the extraction, RTG_Call picks up the request and response. So when I use RTG_Call="GetDeliverySchedule*"this means the request and response.

GetDeliverySchedule is the request and GetDeliveryScheduleResponse is our response. So using a star (*) after GetDeliverySchedule would allow us to get both. In this case when I graph it, the request and response have identical response times, so would there be anyway to just exclude the responses?

Re: Timechart Different Color Line

skoelpin — Fri, 15 May 2015 19:21:01 GMT

Could I do a NOT GetDeliverySchedule* somewhere in my search to get rid of the dupes?

Re: Timechart Different Color Line

jtrucks — Fri, 15 May 2015 19:47:39 GMT

Try this (I just tested it with a similar search):

... | where NOT match(RTG_Call,"Response$")

That will remove the events with *Response at the end. If you want to keep those and not the others, remove the NOT.