Solved: Adding Values from Different Graphs Together

andresvelazq · ‎07-16-2020

Hello,

Still rather new at Splunk, I have 4 hosts that I need to add the values of 3 different graphs I obtained from Analytics. I'm not entirely sure how to do that, I tried putting all those together and opening search to see if I could work out how to add the values, but I'm just pretty lost on this.

So is there a way to do this? If so, how?

andresvelazq · ‎07-17-2020

figured it out, replaced the avg from to4kawa's post to sum, removed the eval hosts line and did the timechart by host instead of hosts

View solution in original post

richgalloway · ‎07-16-2020

More information is needed. How were the 3 graphs produced? What does the data look like? What should the results look like? Can you share your current queries?

---
If this reply helps you, Karma would be appreciated.

andresvelazq · ‎07-16-2020

Sorry about that, the content of the search is this (changed index and host names):

| mstats avg(_value) prestats=true WHERE metric_name="logicaldisk.disk_writes/sec" AND index="indexname" AND host="host*" span=10s BY host
| timechart avg(_value) span=10s agg=max limit=5 useother=false BY host
| fields - _span*
| rename * AS "* - logicaldisk.disk_writes/sec"
| rename "_time - logicaldisk.disk_writes/sec" AS _time
| append [
| mstats avg(_value) prestats=true WHERE metric_name="logicaldisk.disk_reads/sec" AND index="indexname" AND host="host*" span=10s BY host
| timechart avg(_value) span=10s agg=max limit=5 useother=false BY host
| fields - _span*
| rename * AS "* - logicaldisk.disk_reads/sec"
| rename "_time - logicaldisk.disk_reads/sec" AS _time
]
| selfjoin keepsingle=true _time
| append [
| mstats avg(_value) prestats=true WHERE metric_name="logicaldisk.disk_transfers/sec" AND index="indexname" AND host="host*" span=10s BY host
| timechart avg(_value) span=10s agg=max limit=5 useother=false BY host
| fields - _span*
| rename * AS "* - logicaldisk.disk_transfers/sec"
| rename "_time - logicaldisk.disk_transfers/sec" AS _time
]
| selfjoin keepsingle=true _time

The original graphs were grabbed from the Analytics tab next to search, shows the reads, writes, and transfers per second for each of 4 hosts. I'd like to add the values obtained from each of the three graphs and have one graph with 4 lines showing the sums of the information for each server. The statistics table is mostly empty, left most column lists the times. There are 12 columns, each named one of the 4 hosts, followed by read/write/transfer per second. The rows only have 3 values in each, just the amount of reads/writes/transfers at that time for a specific host.

Is that enough info?

to4kawa · ‎07-16-2020

| mstats avg(_value) prestats=true WHERE (metric_name="logicaldisk.disk_writes/sec" OR metric_name="logicaldisk.disk_reads/sec" OR metric_name="logicaldisk.disk_transfers/sec" )AND index="indexname" AND host="host*" span=10s BY host metric_name

| eval hosts=host." - ".metric_name

|timechart avg(_value) span=10s agg=max limit=5 useother=false BY hosts
| fields - _span*

andresvelazq · ‎07-17-2020

figured it out, replaced the avg from to4kawa's post to sum, removed the eval hosts line and did the timechart by host instead of hosts

andresvelazq · ‎07-17-2020

thank you, that's a much cleaner form for the search, but how would I go about adding the read, write, and transfers for each host?

Adding Values from Different Graphs Together

chart

other

stats

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?