Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a line chart with multiple data searches

swazimodo
Path Finder
‎11-21-2019 10:42 AM

In my dashboard, I'm trying to show different types of errors in one line chart. Each type of error will come from a separate search and I would like to represent the counts as separate lines.

Is this possible or do I have to create multiple line charts?
Examples I have seen used only one search with a group by call but that won't work in this case.

I think this might be possible with multisearch if you then can group by each search and get the counts after that but so far I have not been able to get the syntax figured out.

Reply
1 Solution
Solved! Jump to solution
Solution

swazimodo
Path Finder
‎11-21-2019 12:13 PM

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-21-2019 02:47 PM

First, glue the queries together with parentheses and OR like this:

(first query search SPL) OR (second query search SPL) OR (third query string SPL)

Then, depending on the differentiators, either this:

| stats count(SomeFieldNameAlwaysInSearchOneButNeverOthers) AS ErrorCountType1
        count(SomeFieldNameAlwaysInSearchTwoButNeverOthers) AS ErrorCountType2
        count(SomeFieldNameAlwaysInSearchThreeButNeverOthers) AS ErrorCountType3

Or this:

| stats count(eval(SomeFieldNameAlwaysInSearchOne="SomeValueAlwaysInSearchOneButNeverOthers")) AS ErrorCountType1
        count(eval(SomeFieldNameAlwaysInSearchTwo="SomeValueAlwaysInSearchTwoButNeverOthers")) AS ErrorCountType2
        count(eval(SomeFieldNameAlwaysInSearchThree="SomeValueAlwaysInSearchThreeButNeverOthers")) AS ErrorCountType3
0 Karma
Reply
Solved! Jump to solution

swazimodo
Path Finder
‎11-22-2019 07:10 AM

I tried this but it made my linechart return no results

(index= myApp "thing1_I_am_searching_for") OR (search index= myApp "thing2_I_am_searching_for") | timechart span=1h count("thing1_I_am_searching_for") as "line 1" count("thing2_I_am_searching_for") as "line 2"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2019 08:14 AM

You have to do it like this:

(index=myApp "thing1_I_am_searching_for") OR (search index=myApp "thing2_I_am_searching_for")
| timechart span=1h count(eval(searchmatch("thing1_I_am_searching_for"))  AS "line 1" count(eval(searchmatch("thing2_I_am_searching_for"))) AS "line 2" ...
0 Karma
Reply
Solved! Jump to solution

swazimodo
Path Finder
‎11-22-2019 10:26 AM

I got this working but there is some overlap in the queries and those records will only ever show up in one of the categories.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2019 12:37 PM

There is always a way to refine the count(...) to avoid the overlap (you can use ANDs and ORs ). We can keep going if you get more specific.

0 Karma
Reply
Solved! Jump to solution
Solution

swazimodo
Path Finder
‎11-21-2019 12:13 PM

This is possible with multisearch. You can create your queries and then use eval to tag each search result by type. You can then pipe that into a chart counting by the your appended type column.

| multisearch [search index=myApp "thing1_I_am_searching_for" | eval lineSource = "Error_type_one"] [search index=myApp "thing2_I_am_searching_for" | eval lineSource = "Error_type_two"] | timechart span=1h count by lineSource
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-21-2019 03:14 PM

This will work but it will be 3X as expensive and slow compared to my solution.

0 Karma
Reply
Solved! Jump to solution

swazimodo
Path Finder
‎11-22-2019 07:03 AM

@woodcock Can you explain why this 3x the cost?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2019 07:50 AM

It runs the searches simultaneously, whereas mine runs a single search.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top