Solved: How to get two cols from same table onto a graph?

luna94 · ‎01-20-2023

Hi,

I am trying to get two cols from the same table onto a line graph. Each col is an independent value, so the graph should show two lines; I do not want to consolidate the two col together.

This is the Search SPL I am using to pull data:

------graph 1-------

mstats avg(_value) prestats=true
WHERE metric_name="cpu.system" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

------graph 2-------

mstats avg(_value) prestats=true
WHERE metric_name="memory.used" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

As you can see, almost everything is the same besides the metric_name. I am trying to get both metric_name data's onto one graph.

I tried to combine both metric_name into one by adding another AND statement, but it won't work.

Thanks in Advance!

ITWhisperer · ‎01-20-2023

Try something like this

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

View solution in original post

ITWhisperer · ‎01-20-2023

Try something like this

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

luna94 · ‎02-01-2023

@ITWhisperer Thank You for your help! The first one was the solution. I forgot to insert the " | " key before mstats.

luna94 · ‎01-20-2023

It's not working - no data loading.

ITWhisperer · ‎01-20-2023

Do you get anything from just the mstats command?

luna94 · ‎01-20-2023

yes, data comes through

ITWhisperer · ‎01-20-2023

Assuming you still have the _time field and the other fields are "avg(_value)" and metric_name, try this:

mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| chart values(avg(_value)) by _time metric_name

luna94 · ‎01-20-2023

Scratch what I said below, it didn't work. I stretched the graph to make it bigger and it's still one line graph. Your second suggestion did not pulling anything

~~Thank you for your help. I did this and it was able to show both data as independent lines.~~

~~| mstats avg(_value) prestats=true~~
~~WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="VMAKSA69901N2G"~~
~~AND `sai_metrics_indexes` span=10s~~
~~| timechart avg(_value) AS Avg span=10s~~
| fields - _span*

~~I do have another question if you happen to know, how do I color code or label each~~ line?

How to get two cols from same table onto a graph?

chart

dashboard

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation