Solved: Re: timechart with dynamic data series?

yww325 · ‎12-28-2017

I found a document saying you can create multiple data series here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Chartmultipledataseries
But the number of data series is a fixed value, you have to specify these names and conditions for each of them.
In my case, let's assume we have a ReturnCode field and an AppName field in the search return, the return number could be any number.
I want to see a timely distribution, so I used time chart, and I also want data series group by AppName and ReturnCode, so now I use like | timechart count(eval(ReturnCode=1)) as 1, count(eval(ReturnCode=2)) as 2 by AppName
But I realize the ReturnCode can be totally different according to the application(AppName), for AppA, return code can be 1,2,3,4; for AppB, return code can be 2,3,5. I want one colored data series for each combination of AppName+ReturnCode in the timechart
How can I achieve that?

somesoni2 · ‎12-28-2017

Give this a try

your base search 
| eval App_RC=AppName.":".ReturnCode
| timechart count by App_RC

View solution in original post

yww325 · ‎12-28-2017

Yes, that will work, thank you.

somesoni2 · ‎12-28-2017

Give this a try

your base search 
| eval App_RC=AppName.":".ReturnCode
| timechart count by App_RC

niketn · ‎12-28-2017

@yww325, I have converted @somesoni2 's comment to answer. Please accept to mark this as answered.
Also make sure you post your comments using Add comment for specific thread instead of posting a new answer.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

timechart with dynamic data series?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)