Splunk Search

Getting "Series filtering is disabled if a split-by field is used in conjunction with multiple data" warning

tkadale
Path Finder

I have shown time-chart for 2 fields. The Query is as follows:

timechart max(input_error) , max(output_error) by host

When this query runs, Graphs are displayed properly, but on the top a warning message is shown as follows:

Series filtering is disabled if a split-by field is used in conjunction with multiple data

How should I remove this warning??

Thanks in advance.

Tags (1)

hexx
Splunk Employee
Splunk Employee

When you use timechart, you have to choose between using multiple aggregation functions and no split-by field (example : timechart span=1d max(input_error), max(output_error), avg(output_error)) or using a single aggregation function with a split-by field (example : timechart span=1h perc95(output_error)).

You cannot use multiple aggregation functions in conjunction with a split-by field.

What is happening for your search is that Splunk is dropping the "by host" split-by field and will show the values aggregated over all hosts for "max(input_error)" and "max(output_error)" as two data-point series on the graph, just as if you had run "timechart max(input_error), max(output_error)".

For more information on the syntax of timechart and to see examples of its usage, please refer to http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart

gkanapathy
Splunk Employee
Splunk Employee

Here is how you would be able to work around the limitation described: http://www.splunk.com/base/Documentation/latest/User/ReportOfMultipleDataSeries

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...