- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I combine two graphs into one?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I combine two graphs into one?
I have the following queries:
index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504")
| timechart count by status
index=myIndex method!=GET process="start" app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart count
| timechart per_second(*)
Where the first query returns the numbers of errors over time and the second query the requests per second
Even if there are no errors, it should paint a graph with 0 and still include the requests per second. The end goal is to be able to compare the requests per second/error ratio
How can I combine these two into a single chart with two separate graphs?
My best attempt :
index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504")
| timechart span=1h count as error_count
| append
[search index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart span=1h count as requests_per_hour
| fields _time, requests_per_hour]
| stats sum(error_count) as error_count sum(requests_per_hour) as requests_per_hour by _time
| sort -requests_per_hour
Is there any other way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do not use "append" in production. Something like this. Start with a shared pre-process search like this:
index="myIndex" AND app_name IN("my-app-a", "my-app-b")
AND (process="end")
OR (NOT method="GET" AND process="start" AND status IN(status, "500", "503", "504"))
| append [|makeresults count=5]
| streamstats count
| eval status=max(500 + count)
| eval time = _time - count
| timechart count(eval(process=="end")) AS endCount per_second(*) BY status
Then the first post-process will be this:
table _* endCount* | rename endCount* AS count*
And the other post-process will take some work...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=myIndex app_name IN (my-app-a, my-app-b) process=end
| timechart span=1h count(eval(match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504"))) as error_count count as requests_per_hour
| sort -requests_per_hour- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
