Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get two cols from same table onto a graph?

luna94
Engager
‎01-20-2023 08:53 AM

Hi,

I am trying to get two cols from the same table onto a line graph. Each col is an independent value, so the graph should show two lines; I do not want to consolidate the two col together.

This is the Search SPL I am using to pull data:

------graph 1-------

mstats avg(_value) prestats=true
WHERE metric_name="cpu.system" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

------graph 2-------

mstats avg(_value) prestats=true
WHERE metric_name="memory.used" AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s
timechart avg(_value) AS Avg span=10s
fields - _span*

As you can see, almost everything is the same besides the metric_name. I am trying to get both metric_name data's onto one graph.

I tried to combine both metric_name into one by adding another AND statement, but it won't work.

Thanks in Advance!

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:02 AM

Try something like this

 

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:02 AM

Try something like this

 

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| timechart avg(_value) AS Avg span=10s BY metric_name

 

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎02-01-2023 09:07 AM

@ITWhisperer Thank You for your help! The first one was the solution. I forgot to insert the " | " key before mstats.

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 09:17 AM

It's not working - no data loading.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 09:23 AM

Do you get anything from just the mstats command?

0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 10:15 AM

yes, data comes through

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2023 10:50 AM

Assuming you still have the _time field and the other fields are "avg(_value)" and metric_name, try this:

mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="ABC"
AND `sai_metrics_indexes` span=10s BY metric_name
| chart values(avg(_value)) by _time metric_name
0 Karma
Reply
Solved! Jump to solution

luna94
Engager
‎01-20-2023 11:13 AM

Scratch what I said below, it didn't work. I stretched the graph to make it bigger and it's still one line graph. Your second suggestion did not pulling anything

 

Thank you for your help. I did this and it was able to show both data as independent lines.

| mstats avg(_value) prestats=true
WHERE (metric_name="cpu.system" OR metric_name="memory.used") AND "index"="em_metrics" AND "host"="VMAKSA69901N2G"
AND `sai_metrics_indexes` span=10s
| timechart avg(_value) AS Avg span=10s
| fields - _span*

I do have another question if you happen to know, how do I color code or label each line?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...