Getting Data In

Chart multiple series in Splunk 7.3: what's new?

Graham_Hanningt
Builder

The Splunk 7.3 release notes describe the following "what's new" item:

Chart multiple series
Co-analyze multiple related metrics easily in the same view and create sophisticated visualizations for monitoring.

According to the Splunk 7.3.1 documentation topic "Build a chart of multiple data series":

Splunk transforming commands do not support a direct way to define multiple data series in your charts (or timecharts). However, you CAN achieve this using a combination of the stats and xyseries commands."

I've read that topic before, in previous Splunk versions, and have used the techniques it describes.

So, I'm curious: what is actually new about this item for 7.3? Does it refer to some new feature in SPL?

Or—noting the reference to, or qualification, metrics in that 7.3 "what's new" item—perhaps what's new here is a new feature in the Metrics Workspace, which generates SPL that uses the techniques in that "Build a chart of multiple data series"?

Confession: I dip in and out of Splunk every so often. I've read about metrics and the Metrics Workspace, but not yet used them. So far, I've only used events with SPL and Simple XML to develop dashboards.

0 Karma

patelmc
Explorer

This does not allow you to chart on multiple metric in single panel.
It only allows one metric per panel and it creates separate panel for each metric.
split by only allows to select dimension field for that also you can use only one dimension.

I am looking for to chart multiple metrics in a single panel.
I can do that using event data index but not with metrics index.
is there a way to do it?
Also metrics data index does not allow you to chart out of raw metric data. you have to use avg, max, min etc. mstat funtion.
is there a way for that too?

niketn
Legend

@Graham_Hannington I think you missed an very crucial part of information in the Splunk Documentation...

Co-analyze multiple related metrics as this feature is specifically for Metrics Index data through Metrics Workspace which comes pre-installed with 7.3. For prior 7x version you needed to install Metrics Workspace app separately from Splunkbase for this.

What you can try is suffix analysis_worspace in the URL besides your App and you should see Metrics work-space.

  https://<yourSplunkURL>/en-US/app/<yourAppName>/analysis_workspace

PS: This will work only on Metrics Index data.

I would also recommend you to search Splunkbase for Splunk Essentials App for specific latest release of Splunk to get examples of new features introduced in the same.

Following is the link to Splunk Essentials for Cloud and Enterprise 7.3 for your reference. Please do try out and confirm.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This question is something best submitted as feedback on the relevant documentation page(s). The Docs team is excellent about using feedback like this (not from Answers) to clarify the documentation.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...