Splunk Search

Can you shift one line of a multiline chart?

Path Finder

I have a need to track 2 related events. An object gets tagged if it fails a check. If the failure does not get fixed in 5 days the object is removed. Would there be a way on a multiline chart to shift one of the lines by 5 days? I want to be able to easily look at the chart and see what the difference is between failing whether or not the object gets fixed.

0 Karma

SplunkTrust
SplunkTrust

What's your current search and chart output? Is it possible for your provide a mock expected output?

0 Karma

Path Finder

The search is pretty basic. It is actually 2 searchs united with an appendcols both searches end with a "| timechart span=1d count(field)" This produces a 3 column statistics output with _time, failed and removed. which the visualization returns and nice graph but I need to look either 5 days forward or back to see the related event count. Something like this

index=test source=testsource tag=failed | timechart span=1d dc(itemid) | appendcols [ search index=test source=testsource tag=removed | timechart span=1d dc(itemid) ]

I was thinking if I could change the query to just return the numbers with out the _time column and then use latest=-5d I could then do the line chart using those values but I am having issues getting just the numbers

0 Karma

SplunkTrust
SplunkTrust

Not sure if this is what you're looking for, but you can shift _time of one of the search by adding that amount to all rows of that search, like this

index=test source=testsource tag=failed | timechart span=1d dc(itemid) as failed | eval _time=relative_time(_time,"+5d") | appendcols [ search index=test source=testsource tag=removed | timechart span=1d dc(itemid) as removed ]

Your requirement seems little complex so I believe more details/examples would help here.

Path Finder

The +5d does the trick.. it moves the lines to have the proper relationship. I have 2 items to fix for the graph to look correct. With the shift the 1st 5 days of the modified line is flat. The other issue is since I am playing with the date I think it would be better if I could hide the x-axis label and not show the date.

0 Karma