Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart help: split all by host

tedder
Communicator
‎01-10-2011 07:54 PM

I'm having trouble using timechart for multiple hosts. Here's what I want to do:

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host | max(PercentProcessorTime) by host | timechart max(Context) by host

That doesn't work. "Fields missing" on the second two timechart commands. Changing the order shows it isn't an issue with the data. So I've tried this, and I get the error "Error in 'timechart' command: When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes), max(Context), max(PercentProcessorTime) by host

I've also tried the following, which returns the error "Error in 'timechart' command: The argument 'max(Context)' is invalid."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host, max(Context) by host, max(PercentProcessorTime) by host

Why is that? I truly want to split all three items by host. I can have three different graphs, but that isn't really what I want.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host

View solution in original post

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎01-20-2011 05:57 AM

By the way, in 4.2, which will be released in the near future, you will be able to do multi-series split-by within chart or timechart

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-13-2011 07:15 AM

This http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries shows a slightly different way of doing it.

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎01-12-2011 10:05 PM

the one minor bit:

| eval host = pivot . "-" host

should be:

| eval host = pivot . "-" . host

But that works!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...