Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Graphing multiple data sources in one chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Graphing multiple data sources in one chart
I found some similar questions on here, but not quite what I'm trying to do.
We have web access logs from several three different web servers (same host, though). I'd like to graph the number of unique hits from each web server on the same graph in a dashboard.
For example, one search is like this:
<searchString>host="xyz" sourcetype="*access*" source="*foo.access*" | timechart dc(remote_host)</searchString>
Another search/graph is like this:
<searchString>host="xyz" sourcetype="*access*" source="*bar.access*" | timechart dc(remote_host)</searchString>
I'd like both of these results to appear on the same graph. How can I do this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can simply OR them together, and then use the searchmatch function of eval to give yourself a field that indicates whether this is a source containing 'foo' or a source containing 'bar'.
(Im assuming there are a lot of difference sources matching the foo.access. condition, as well as a lot of sources matching the bar.access. condition.)
This should work:
host="xyz" sourcetype="*access*" ( source="*foo.access*" OR source="*bar.access*" ) | eval type=if(searchmatch(source="*foo.access.*"),"foo","bar") | timechart dc(remote_host) by type
NOTE: this is very similar to this other answer here: http://answers.splunk.com/questions/5423/comparing-values-returned-by-two-separate-searches/5439#543...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably
... | timechart dc(remote_host) by source
or
... | rex field=source "(?<s>[A-Za-z]+)\.access\b" | timechart dc(remote_host) by s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Even m facing a same type of problem and by source works, but what if there are n no of distinct values in source and i want to plot graph for only 2 particular values..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaah. Worked! Thanks, both of you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have angle brackets in the regex you need to either escape them, or preferably wrap them in a CDATA block. This link has an example of what CDATA looks like: http://www.quackit.com/xml/tutorial/xml_cdata.cfm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply. The "by source" solution works, but the path is too long for it to show the entire source file.
I can't get the "rex field=source" solution to work. Every time I ever try to use a rex in an XML file, I get a "mismatched tag" error. Not sure how to get around that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want:
sourcetype="*access*" | timechart dc(remote_host) by host
(wrapping <searchString> tags removed for clarity)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes - my apologies, I read too quickly and missed where you said they were all on the same host. See below - the rex approach gkanapathy suggests is likely your best one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply. I think "by host" should be "by source", no? That works but, as I said in my comment below, the path to the source file is too long so it gets abbreviated, making it impossible to tell which source is which on the graph...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
