Splunk Search

Display time chart grouping by 2 fields

RemyaT
Explorer

I have a Splunk query that helps me to visualize different APIs vs Time as below. Using this query I could see each line graph for each APIs in the given time.

index=sample_index 
|timechart span=1m count by API

  My actual requirement is to get the count by 2 fields (API and Consumer). ie I need a time graph for each API and Consumer combination.

One graph for API1_Consumer1, one for API1_Consumer2, and one for API2_Consumer3 like that. How can I achieve that?

Labels (3)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @RemyaT,

If you would like a single line graph with a line for each API/Consumer combo you could do the following:

| fillnull API, Consumer value="(blank)"
| eval API_Consumer = API . " - " . Consumer
| timechart span=1m count by API_Consumer

 
Here we're creating a new field called "API_Consumer" that will simply have the values for the API and Consumer separated by a hyphen: " - "

When the graph is created, you will have 1 line for each unique combo of API and Consumer fields. 

If any API or Consumer are blank, we change them to the value "(blank)" - you can change this or remove it if it's not needed in your case. 

 

If you want a separate graph per API-Consumer pair, you can choose a line graph and use Trellis mode:

danspav_0-1690525521969.png

When you split by API_Consumer, it will create one graph per API-Consumer pair (up to a max of 20 pairs)

 

 

Hope that helps,
Cheers,
Daniel

 

View solution in original post

0 Karma

RemyaT
Explorer

Exactly what I wanted. Thanks bunch Daniel.

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @RemyaT,

If you would like a single line graph with a line for each API/Consumer combo you could do the following:

| fillnull API, Consumer value="(blank)"
| eval API_Consumer = API . " - " . Consumer
| timechart span=1m count by API_Consumer

 
Here we're creating a new field called "API_Consumer" that will simply have the values for the API and Consumer separated by a hyphen: " - "

When the graph is created, you will have 1 line for each unique combo of API and Consumer fields. 

If any API or Consumer are blank, we change them to the value "(blank)" - you can change this or remove it if it's not needed in your case. 

 

If you want a separate graph per API-Consumer pair, you can choose a line graph and use Trellis mode:

danspav_0-1690525521969.png

When you split by API_Consumer, it will create one graph per API-Consumer pair (up to a max of 20 pairs)

 

 

Hope that helps,
Cheers,
Daniel

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...