Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get two cols from same table onto a graph?

luna94
Engager
‎01-20-2023 08:53 AM

Hi,

I am trying to get two cols from the same table onto a line graph. Each col is an independent value, so the graph should show two lines; I do not want to consolidate the two col together.

This is the Search SPL I am using to pull data:

------graph 1-------

mstats avg(_value) prestats=true
WHERE metric_name="cpu.system" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

------graph 2-------

mstats avg(_value) prestats=true
WHERE metric_name="memory.used" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

As you can see, almost everything is the same besides the metric_name. I am trying to get both metric_name data's onto one graph.

I tried to combine both metric_name into one by adding another AND statement, but it won't work.

Thanks in Advance!

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:02 AM

Try something like this

 

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:02 AM

Try something like this

 

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

 

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎02-01-2023 09:07 AM

@ITWhisperer Thank You for your help! The first one was the solution. I forgot to insert the " | " key before mstats.

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 09:17 AM

It's not working - no data loading.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:23 AM

Do you get anything from just the mstats command?

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 10:15 AM

yes, data comes through

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 10:50 AM

Assuming you still have the _time field and the other fields are "avg(_value)" and metric_name, try this:

mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| chart values(avg(_value)) by _time metric_name
0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 11:13 AM

Scratch what I said below, it didn't work. I stretched the graph to make it bigger and it's still one line graph. Your second suggestion did not pulling anything

 

Thank you for your help. I did this and it was able to show both data as independent lines.

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="VMAKSA69901N2G"
AND `sai_metrics_indexes` span=10s
| timechart avg(_value) AS Avg span=10s
| fields - _span*

I do have another question if you happen to know, how do I color code or label each line?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...