Dashboards & Visualizations

How to sum timechart results from multiple search queries?

dzyfer
Path Finder

Hi, I have multiple timecharts which have similar search queries, sharing the same index, the only difference is that they are from different metric names, ie

 

 

| mstats max(my_Var) AS my_Var where index=* AND "internal_name"="A1"
...
| timechart span=1w sum(Var) AS output
| mstats max(my_Var) AS my_Var where index=* AND "internal_name"="A2"
...
| timechart span=1w sum(Var) AS output

 

 

.. and so on.

I would like to have a panel where the various "output" are summed into a combined timechart.
I have seen some similar solutions involving tokens, but I am unfamiliar with how they work, so I hope that someone can walk me through what to do, or any other solutions will be great too. Thanks

 

Labels (5)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @dzyfer,

Ok, in this case the easiest approach is schedule all your original searches (frequency depends on how many data you receive) and saving results in a summary index, then you can use this Summary index for your global timecharting.

Ciao.

Giuseppe

View solution in original post

dzyfer
Path Finder

Hi @gcusello ,

thanks for the prompt reply, however, using the IN function in the first line leads to the search summing up the results at the beginning, but my search actually consists of intermediate calculations before arriving at the "Var" variable, and this method causes the final summation to be inaccurate. As such, I'm wondering if there is a way to sum up the final results only. 

Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dzyfer,

I don't think that the inaccurate summarization is fo the global data because I didn't see any where condition in your searches, anyway, you can make the time chart summarization in two steps:

| mstats max(my_Var) AS my_Var where index=* AND (internal_name IN ("A1","A2")
| bin span=1w _time
| stats sum(eval(if(internal_name="A1",Var,0) AS output_A1 sum(eval(if(internal_name="A2",Var,0) AS output_A2 BY _time
| eval output=output_A1+output_A2

Ciao.

Giuseppe

0 Karma

dzyfer
Path Finder

Hi @gcusello , 

Apologies, in an attempt to anonymize my search earlier I have made some errors, which have made it seem confusing, so this is the corrected code with other variable so that maybe it would be easier to understand my dilemma.

| mstats span=1m earliest(monitor) AS first latest(monitor) AS last max(monitor) AS max WHERE index=organizationmetric AND internal_name="SR01" 
| autoregress last AS lastlast 
| eval diff = if(first = lastlast, 0,if(first-lastlast<0,0,first-lastlast))
| eval divmaxlast = round(max-last,0)
| eval meter = round(if(max=last,last-first,if(last<max,if(divmaxlast<2,last-first,max-first+last),max-first+last))) + diff
| eval date=strftime(_time,"%Y-%m-%V")
| timechart span=1w sum(meter) AS output

the other metric names are "SR02" "SR03" "SR04"

Thanks and sorry again for the confusion

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dzyfer,

Ok, in this case the easiest approach is schedule all your original searches (frequency depends on how many data you receive) and saving results in a summary index, then you can use this Summary index for your global timecharting.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @dzyfer,

did you tried something like this?

| mstats max(my_Var) AS my_Var where index=* AND (internal_name IN ("A1","A2")
| timechart span=1w sum(Var) AS output

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...