Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I combine two graphs into one?

yk010123
Path Finder
‎04-20-2023 09:22 AM

I have the following queries: 

 

 

 

 

index=myIndex  app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500",  "503",  "504") 
| timechart count by status


index=myIndex method!=GET process="start" app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart count
| timechart per_second(*)

 

 

Where the first query returns the numbers of errors over time and the second query the requests per second

 

Even if there are no errors, it should paint a graph with 0 and still include the requests per second. The end goal is to be able to compare the requests per second/error ratio

 

 

How can I combine these two into a single chart with two separate graphs?

My best attempt : 

index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504")
| timechart span=1h count as error_count
| append
[search index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart span=1h count as requests_per_hour
| fields _time, requests_per_hour]
| stats sum(error_count) as error_count sum(requests_per_hour) as requests_per_hour by _time
| sort -requests_per_hour

 

Is there any other way to do this?

Labels (4)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2023 05:02 PM

Do not use "append" in production.  Something like this.  Start with a shared pre-process search like this:

index="myIndex" AND app_name IN("my-app-a", "my-app-b")
AND (process="end")
OR (NOT method="GET" AND process="start" AND status IN(status, "500", "503", "504"))
| append [|makeresults count=5]
| streamstats count
| eval status=max(500 + count)
| eval time = _time - count
| timechart count(eval(process=="end")) AS endCount per_second(*) BY status

Then the first post-process will be this:
table _* endCount* | rename endCount* AS count*

And the other post-process will take some work...

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2023 11:12 AM

Try something like this

index=myIndex app_name IN (my-app-a, my-app-b) process=end
| timechart span=1h count(eval(match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504"))) as error_count count as requests_per_hour
| sort -requests_per_hour
0 Karma
Reply

yk010123
Path Finder
‎04-20-2023 11:40 AM

This will create a single graph, no?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...