In my dashboard, I'm trying to show different types of errors in one line chart. Each type of error will come from a separate search and I would like to represent the counts as separate lines.
Is this possible or do I have to create multiple line charts?
Examples I have seen used only one search with a group by call but that won't work in this case.
I think this might be possible with multisearch if you then can group by each search and get the counts after that but so far I have not been able to get the syntax figured out.
This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.
| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource
First, glue the queries together with parentheses
and OR
like this:
(first query search SPL) OR (second query search SPL) OR (third query string SPL)
Then, depending on the differentiators, either this:
| stats count(SomeFieldNameAlwaysInSearchOneButNeverOthers) AS ErrorCountType1
count(SomeFieldNameAlwaysInSearchTwoButNeverOthers) AS ErrorCountType2
count(SomeFieldNameAlwaysInSearchThreeButNeverOthers) AS ErrorCountType3
Or this:
| stats count(eval(SomeFieldNameAlwaysInSearchOne="SomeValueAlwaysInSearchOneButNeverOthers")) AS ErrorCountType1
count(eval(SomeFieldNameAlwaysInSearchTwo="SomeValueAlwaysInSearchTwoButNeverOthers")) AS ErrorCountType2
count(eval(SomeFieldNameAlwaysInSearchThree="SomeValueAlwaysInSearchThreeButNeverOthers")) AS ErrorCountType3
I tried this but it made my linechart return no results
(index= myApp "thing1_I_am_searching_for") OR (search index= myApp "thing2_I_am_searching_for") | timechart span=1h count("thing1_I_am_searching_for") as "line 1" count("thing2_I_am_searching_for") as "line 2"
You have to do it like this:
(index=myApp "thing1_I_am_searching_for") OR (search index=myApp "thing2_I_am_searching_for")
| timechart span=1h count(eval(searchmatch("thing1_I_am_searching_for")) AS "line 1" count(eval(searchmatch("thing2_I_am_searching_for"))) AS "line 2" ...
I got this working but there is some overlap in the queries and those records will only ever show up in one of the categories.
There is always a way to refine the count(...)
to avoid the overlap (you can use AND
s and OR
s ). We can keep going if you get more specific.
This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.
| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource
This will work but it will be 3X as expensive and slow compared to my solution.
@woodcock Can you explain why this 3x the cost?
It runs the searches simultaneously, whereas mine runs a single search.