Dashboards & Visualizations

How to create a line chart with multiple data searches

Path Finder

In my dashboard, I'm trying to show different types of errors in one line chart. Each type of error will come from a separate search and I would like to represent the counts as separate lines.

Is this possible or do I have to create multiple line charts?
Examples I have seen used only one search with a group by call but that won't work in this case.

I think this might be possible with multisearch if you then can group by each search and get the counts after that but so far I have not been able to get the syntax figured out.

1 Solution

Path Finder

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource

View solution in original post

Esteemed Legend

First, glue the queries together with parentheses and OR like this:

(first query search SPL) OR (second query search SPL) OR (third query string SPL)

Then, depending on the differentiators, either this:

| stats count(SomeFieldNameAlwaysInSearchOneButNeverOthers) AS ErrorCountType1
        count(SomeFieldNameAlwaysInSearchTwoButNeverOthers) AS ErrorCountType2
        count(SomeFieldNameAlwaysInSearchThreeButNeverOthers) AS ErrorCountType3

Or this:

| stats count(eval(SomeFieldNameAlwaysInSearchOne="SomeValueAlwaysInSearchOneButNeverOthers")) AS ErrorCountType1
        count(eval(SomeFieldNameAlwaysInSearchTwo="SomeValueAlwaysInSearchTwoButNeverOthers")) AS ErrorCountType2
        count(eval(SomeFieldNameAlwaysInSearchThree="SomeValueAlwaysInSearchThreeButNeverOthers")) AS ErrorCountType3
0 Karma

Path Finder

I tried this but it made my linechart return no results

(index= myApp "thing1_I_am_searching_for") OR (search index= myApp "thing2_I_am_searching_for") | timechart span=1h count("thing1_I_am_searching_for") as "line 1" count("thing2_I_am_searching_for") as "line 2"
0 Karma

Esteemed Legend

You have to do it like this:

(index=myApp "thing1_I_am_searching_for") OR (search index=myApp "thing2_I_am_searching_for")
| timechart span=1h count(eval(searchmatch("thing1_I_am_searching_for"))  AS "line 1" count(eval(searchmatch("thing2_I_am_searching_for"))) AS "line 2" ...
0 Karma

Path Finder

I got this working but there is some overlap in the queries and those records will only ever show up in one of the categories.

0 Karma

Esteemed Legend

There is always a way to refine the count(...) to avoid the overlap (you can use ANDs and ORs ). We can keep going if you get more specific.

0 Karma

Path Finder

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource

Esteemed Legend

This will work but it will be 3X as expensive and slow compared to my solution.

0 Karma

Path Finder

@woodcock Can you explain why this 3x the cost?

0 Karma

Esteemed Legend

It runs the searches simultaneously, whereas mine runs a single search.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...