Dashboards & Visualizations

Multiple data series in line chart - dashboard visualization

parth_jec
Path Finder

I am trying to display data in the form of line chart in dashboard. Each line in the chart should represent a separate series. For ex: one series would show number of events "string1" appears in index i1 and other series be number of events "string2" appears in the same index i1.

For one data series I can write in the search bar something like:

index = i1 string1 | timechart count by event

How can I incorporate string 2 in this such that for each string the count of events in which the strings appear can be represented by two different lines in a chart in dashboard?

Thanks,

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Sounds like you need to post a new question with your specific challenge.

0 Karma

arungeorge09
Path Finder

Multiline data series not working with Splunk . I tried a simple timchart count by host and dashboard is not supporting this query. When I schedule pdf delivery it just shows as blank.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You are correct. Updating now. Looks like references were changed in the online docs.

0 Karma

benspader
Explorer

Is it just me or do none of these links work??? What am I doing wrong? It brings me to a page that says only this is a special page...

0 Karma

parth_jec
Path Finder

I am trying to create field (key/value) pairs for string1 and string2 interactively following http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
For string1 I am able to create a field but for string2 splunk is not allowing me to create field, it does not creates regex for the second string, is there another way to create fields? Also, I was wondering since I know there will be only one value associated with each of the fields I create, is creating fields the only way to do it? ex: field s1="String1" and s2="String2" always.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Yes, you'll need fields for those values you want to count.

0 Karma

parth_jec
Path Finder

do I have to create fields for each of the string I want to search (string1, string2) first?

0 Karma

sdaniels
Splunk Employee
Splunk Employee

I think what you want is multiple stats operations...one for each field. Or maybe i'm missing something?

... | stats count(field1) count(field2) avg(field3)

0 Karma

parth_jec
Path Finder

Thanks for the link. I checked it but I am not getting clearly how its done.

I want to search for multiple strings in an index, calculate count of events separately in which the strigs appear and then plot them in a chart.

The example in the link does not show how can I search for a string and plot it in chart. Ex: index = i1 string1 "String 1 " | stats count
This will give the number events in index i1 where "String 1" is present. How can implement this using the example given in the link?
Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...