Building for the Splunk Platform

timechart with dynamic data series?

yww325
New Member

I found a document saying you can create multiple data series here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Chartmultipledataseries
But the number of data series is a fixed value, you have to specify these names and conditions for each of them.
In my case, let's assume we have a ReturnCode field and an AppName field in the search return, the return number could be any number.
I want to see a timely distribution, so I used time chart, and I also want data series group by AppName and ReturnCode, so now I use like | timechart count(eval(ReturnCode=1)) as 1, count(eval(ReturnCode=2)) as 2 by AppName
But I realize the ReturnCode can be totally different according to the application(AppName), for AppA, return code can be 1,2,3,4; for AppB, return code can be 2,3,5. I want one colored data series for each combination of AppName+ReturnCode in the timechart
How can I achieve that?

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search 
| eval App_RC=AppName.":".ReturnCode
| timechart count by App_RC

View solution in original post

yww325
New Member

Yes, that will work, thank you.

0 Karma

somesoni2
Revered Legend

Give this a try

your base search 
| eval App_RC=AppName.":".ReturnCode
| timechart count by App_RC

niketn
Legend

@yww325, I have converted @somesoni2 's comment to answer. Please accept to mark this as answered.
Also make sure you post your comments using Add comment for specific thread instead of posting a new answer.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...