Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiseries chart

kp_pl
Path Finder
‎03-20-2024 03:27 PM

At the beginning two examples :

the first one:

index=s1
| timechart sum(kmethod) avg(kduration)

 

generates two series chart

second one uses 'count by':

index=s1
| timechart count by kmethod

 

generates just one series .

 

I would like to join both timecharts and kind of merge "count by" with simple "avg" or "sum" so  :

-first one 'stacked bar' from second example

-second one 'line' from second series of the first example

 

Any hints ?

 

K.

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-20-2024 04:10 PM

It is not clear what you are trying to do here - the second one generates a count for each unique value of kmethod - which presumably is a number since the first one is summing these?

Please can you clarify what you are trying to do, perhaps provide some sample (anonymosed) events so we can see what you are dealing with, and an example of your expected result?

0 Karma
Reply

kp_pl
Path Finder
‎03-20-2024 04:20 PM

Well - I always have problem with clear explanation, sorry about it.

So look at the graph below

kp_pl_0-1710976511586.png

It is exactly  what I need . One "series" - bars is a count for each uniqe value >> timechart count by kmethod
Second series , black line, just a simple sum or average function >> timechart sum(kmethod)

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2024 01:29 AM

Still not clear - from your chart, it appears that kmethod is a string (jura_... etc). How do you then either sum these strings or take an average?

0 Karma
Reply

kp_pl
Path Finder
‎03-21-2024 01:49 AM

of course, the chart is correct , explanation is bad  - my mistake

so the first series - no doubt

timechart count by kmethod

the second one of course sum/avg numbers

timechart avg(duration)

 

All data comes from access.log which format is something like :

TIMESTAMP;IP;HTTP_METHOD;METHOD;RETURN_CODE;DURATION;BYTES;UUID

 

 

 

 

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2024 02:30 AM

Assuming you want average duration from all events, you could do something like this

| bin _time span=30m
| eventstats count by _time method
| appendpipe
    [| eventstats sum(duration) as count by _time
    | eval method="duration"]
| xyseries _time method count
| addtotals fieldname=total
| eval total=total-duration
| eval average=duration/total
| fields - duration total

Using dummy data, gives something like this

ITWhisperer_0-1711013423505.png

 

0 Karma
Reply

kp_pl
Path Finder
‎03-21-2024 03:32 AM

Nice 🙂

 

It is almost what I need and expect.

Just give me one more hint regarding _time . I want to show data from the past, from last monday between 9am and 5pm .  

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2024 04:52 AM

Change your time-picker to be the time period you want

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...