Dashboards & Visualizations

How to create a line chart with multiple data searches

swazimodo
Path Finder

In my dashboard, I'm trying to show different types of errors in one line chart. Each type of error will come from a separate search and I would like to represent the counts as separate lines.

Is this possible or do I have to create multiple line charts?
Examples I have seen used only one search with a group by call but that won't work in this case.

I think this might be possible with multisearch if you then can group by each search and get the counts after that but so far I have not been able to get the syntax figured out.

1 Solution

swazimodo
Path Finder

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource

View solution in original post

woodcock
Esteemed Legend

First, glue the queries together with parentheses and OR like this:

(first query search SPL) OR (second query search SPL) OR (third query string SPL)

Then, depending on the differentiators, either this:

| stats count(SomeFieldNameAlwaysInSearchOneButNeverOthers) AS ErrorCountType1
        count(SomeFieldNameAlwaysInSearchTwoButNeverOthers) AS ErrorCountType2
        count(SomeFieldNameAlwaysInSearchThreeButNeverOthers) AS ErrorCountType3

Or this:

| stats count(eval(SomeFieldNameAlwaysInSearchOne="SomeValueAlwaysInSearchOneButNeverOthers")) AS ErrorCountType1
        count(eval(SomeFieldNameAlwaysInSearchTwo="SomeValueAlwaysInSearchTwoButNeverOthers")) AS ErrorCountType2
        count(eval(SomeFieldNameAlwaysInSearchThree="SomeValueAlwaysInSearchThreeButNeverOthers")) AS ErrorCountType3
0 Karma

swazimodo
Path Finder

I tried this but it made my linechart return no results

(index= myApp "thing1_I_am_searching_for") OR (search index= myApp "thing2_I_am_searching_for") | timechart span=1h count("thing1_I_am_searching_for") as "line 1" count("thing2_I_am_searching_for") as "line 2"
0 Karma

woodcock
Esteemed Legend

You have to do it like this:

(index=myApp "thing1_I_am_searching_for") OR (search index=myApp "thing2_I_am_searching_for")
| timechart span=1h count(eval(searchmatch("thing1_I_am_searching_for"))  AS "line 1" count(eval(searchmatch("thing2_I_am_searching_for"))) AS "line 2" ...
0 Karma

swazimodo
Path Finder

I got this working but there is some overlap in the queries and those records will only ever show up in one of the categories.

0 Karma

woodcock
Esteemed Legend

There is always a way to refine the count(...) to avoid the overlap (you can use ANDs and ORs ). We can keep going if you get more specific.

0 Karma

swazimodo
Path Finder

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource

woodcock
Esteemed Legend

This will work but it will be 3X as expensive and slow compared to my solution.

0 Karma

swazimodo
Path Finder

@woodcock Can you explain why this 3x the cost?

0 Karma

woodcock
Esteemed Legend

It runs the searches simultaneously, whereas mine runs a single search.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...