Dashboards & Visualizations

Multiple data series in line chart - dashboard visualization

Path Finder

I am trying to display data in the form of line chart in dashboard. Each line in the chart should represent a separate series. For ex: one series would show number of events "string1" appears in index i1 and other series be number of events "string2" appears in the same index i1.

For one data series I can write in the search bar something like:

index = i1 string1 | timechart count by event

How can I incorporate string 2 in this such that for each string the count of events in which the strings appear can be represented by two different lines in a chart in dashboard?

Thanks,

0 Karma

Splunk Employee
Splunk Employee

Splunk Employee
Splunk Employee

Sounds like you need to post a new question with your specific challenge.

0 Karma

Path Finder

Multiline data series not working with Splunk . I tried a simple timchart count by host and dashboard is not supporting this query. When I schedule pdf delivery it just shows as blank.

0 Karma

Splunk Employee
Splunk Employee

You are correct. Updating now. Looks like references were changed in the online docs.

0 Karma

Explorer

Is it just me or do none of these links work??? What am I doing wrong? It brings me to a page that says only this is a special page...

0 Karma

Path Finder

I am trying to create field (key/value) pairs for string1 and string2 interactively following http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
For string1 I am able to create a field but for string2 splunk is not allowing me to create field, it does not creates regex for the second string, is there another way to create fields? Also, I was wondering since I know there will be only one value associated with each of the fields I create, is creating fields the only way to do it? ex: field s1="String1" and s2="String2" always.

0 Karma

Splunk Employee
Splunk Employee

Yes, you'll need fields for those values you want to count.

0 Karma

Path Finder

do I have to create fields for each of the string I want to search (string1, string2) first?

0 Karma

Splunk Employee
Splunk Employee

I think what you want is multiple stats operations...one for each field. Or maybe i'm missing something?

... | stats count(field1) count(field2) avg(field3)

0 Karma

Path Finder

Thanks for the link. I checked it but I am not getting clearly how its done.

I want to search for multiple strings in an index, calculate count of events separately in which the strigs appear and then plot them in a chart.

The example in the link does not show how can I search for a string and plot it in chart. Ex: index = i1 string1 "String 1 " | stats count
This will give the number events in index i1 where "String 1" is present. How can implement this using the example given in the link?
Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!