Chart with multiple lines based on field values

fhobelman · ‎07-26-2018

case:

Logged events with differentiating fuellevel and the corresponding serial

Desired outcome:

alt text

So a graph with multiple lines, a line is based on a serialnumbers from the events, with vertically the value of a field within that same event.

Please help!

DalJeanis · ‎07-28-2018

That's just a basic timechart.

your search that gets the events with _time serial and fuellevel
 | timechart max(fuellevel) as fuellevel by serial

You can also try max(), min(), avg() first() last(), or any other aggregate command that seems relevant.

fhobelman · ‎07-29-2018

Thanks! That indeed gives me the max fuellevel per day! What is the option if I want to see it per event? Because some serials will have like 10 events per day and others will just have a few or even none on a day.

akocak · ‎07-27-2018

please send a sample of your data for better answer, however, I believe you are looking something similar to below:

 index=x sourcetype=y | eval number = fuellevel - correspondingserial | timechart values(number) values(serial1) values(serial2)

Chart with multiple lines based on field values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Chart with multiple lines based on field values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?