Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

timechart help: split all by host

tedder
Communicator
‎01-10-2011 07:54 PM

I'm having trouble using timechart for multiple hosts. Here's what I want to do:

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host | max(PercentProcessorTime) by host | timechart max(Context) by host

That doesn't work. "Fields missing" on the second two timechart commands. Changing the order shows it isn't an issue with the data. So I've tried this, and I get the error "Error in 'timechart' command: When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes), max(Context), max(PercentProcessorTime) by host

I've also tried the following, which returns the error "Error in 'timechart' command: The argument 'max(Context)' is invalid."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host, max(Context) by host, max(PercentProcessorTime) by host

Why is that? I truly want to split all three items by host. I can have three different graphs, but that isn't really what I want.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host

View solution in original post

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎01-20-2011 05:57 AM

By the way, in 4.2, which will be released in the near future, you will be able to do multi-series split-by within chart or timechart

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-13-2011 07:15 AM

This http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries shows a slightly different way of doing it.

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎01-12-2011 10:05 PM

the one minor bit:

| eval host = pivot . "-" host

should be:

| eval host = pivot . "-" . host

But that works!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...