I know there's no option for "by" in trendline but my question is the following, given a table like this:
Is it possible to display the trend of every field ( req count, duration, error_count) and group it by host ( There're 6 different hosts ) ?
@greggz if you are on Splunk Enterprise 6.6 or higher you can try the Trellis layout.
For Splunk Enterprise 7.0 or higher you can also add Compare Series option to compare how various stats are trending through timechart command and hover to see individual values at specific time.
Following is a run anywhere dashboard examples based on Splunk's _internal index( I have created some dummy data for various stats, they are not necessarily accurate) and used component instead of host as per your use case.
Following is the Simple XML code:
<dashboard>
<label>Compare Trend for multiple stats</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO component!="ConfContentsCache"
| timechart count as request_count count(eval(log_level=="ERROR")) as error_count sum(date_second) as total_duration by component limit=20 useother=f</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="height">700</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">seriesCompare</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
</dashboard>
