Dashboards & Visualizations

How to create a line chart with multiple series?

Iris_Pi
Path Finder

Hello everyone,

I have collected some firewall traffic data: two firewalls(fw1/fw2), each has two interfaces(ethernet1/1&2),  will collect rxbytes and txbytes every 5 minutes. 

The raw data is showed as below:
>>>
{"timestamp": 1726668551, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59947791867743, "txbytes": 37019023811192}
{"timestamp": 1726668551, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63755935850903, "txbytes": 32252936430552}
{"timestamp": 1726668551, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668551, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668851, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59948210937804, "txbytes": 37019791801583}
{"timestamp": 1726668851, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63755965708078, "txbytes": 32253021060643}
{"timestamp": 1726668851, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726668851, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669151, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59948636904106, "txbytes": 37020560028933}
{"timestamp": 1726669151, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756002542165, "txbytes": 32253111011234}
{"timestamp": 1726669151, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669151, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669451, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949094737896, "txbytes": 37021330717977}
{"timestamp": 1726669451, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756101313559, "txbytes": 32253199085252}
{"timestamp": 1726669451, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669451, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669752, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949550987330, "txbytes": 37022105630147}
{"timestamp": 1726669752, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756167141302, "txbytes": 32253286546113}
{"timestamp": 1726669752, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726669752, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726670052, "fwname": "fw1", "interface": "ethernet1/1", "rxbytes": 59949968397016, "txbytes": 37022870539739}
{"timestamp": 1726670052, "fwname": "fw1", "interface": "ethernet1/2", "rxbytes": 63756401499253, "txbytes": 32253380028970}
{"timestamp": 1726670052, "fwname": "fw2", "interface": "ethernet1/1", "rxbytes": 0, "txbytes": 0}
{"timestamp": 1726670052, "fwname": "fw2", "interface": "ethernet1/2", "rxbytes": 0, "txbytes": 0}
<<<

Now I need to create one chart to show the value of "rxbytes" over time, with 4 series:
(series 1) fw1, interface1/1
(series 2) fw1, interface1/2
(series 3) fw2, interface1/1
(series 4) fw2, interface1/2

But I have problem to compose the SPL statement for this purpose. can you please help here? thank you in advance!

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Iris_Pi ,

supponing that the _time of your events is the Timestamp field, you have two solutions:

1) using stats (supponing a span of 1 hour):

<your_search>
| bin span=1h _time
| stats sum(rxbytes) AS rxbytes BY fwname interface

2) using timechart (supponing a span of 1 hour):

<your_search>
| eval col=fwname.", "interface
| timechart span=1h sum(rxbytes) AS rxbytes BY col

I prefer the first one.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Iris_Pi ,

supponing that the _time of your events is the Timestamp field, you have two solutions:

1) using stats (supponing a span of 1 hour):

<your_search>
| bin span=1h _time
| stats sum(rxbytes) AS rxbytes BY fwname interface

2) using timechart (supponing a span of 1 hour):

<your_search>
| eval col=fwname.", "interface
| timechart span=1h sum(rxbytes) AS rxbytes BY col

I prefer the first one.

Ciao.

Giuseppe

Iris_Pi
Path Finder

Thanks Giuseppe for your advice. 

The second one works.

The first one somehow only returns 4 lines of results.

Iris_Pi_0-1726729600038.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Iris_Pi ,

the first solution requires that you always have both fwname and interface fields.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...