Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I combine two graphs into one?

yk010123
Path Finder
‎04-20-2023 09:22 AM

I have the following queries: 

 

 

 

 

index=myIndex  app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500",  "503",  "504") 
| timechart count by status


index=myIndex method!=GET process="start" app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart count
| timechart per_second(*)

 

 

Where the first query returns the numbers of errors over time and the second query the requests per second

 

Even if there are no errors, it should paint a graph with 0 and still include the requests per second. The end goal is to be able to compare the requests per second/error ratio

 

 

How can I combine these two into a single chart with two separate graphs?

My best attempt : 

index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name = replace(app_name, "-[ab]$", "")
| where match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504")
| timechart span=1h count as error_count
| append
[search index=myIndex app_name IN (my-app-a, my-app-b) process=end
| eval app_name=replace(app_name, "-[ab]$", "")
| timechart span=1h count as requests_per_hour
| fields _time, requests_per_hour]
| stats sum(error_count) as error_count sum(requests_per_hour) as requests_per_hour by _time
| sort -requests_per_hour

 

Is there any other way to do this?

Labels (4)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2023 05:02 PM

Do not use "append" in production.  Something like this.  Start with a shared pre-process search like this:

index="myIndex" AND app_name IN("my-app-a", "my-app-b")
AND (process="end")
OR (NOT method="GET" AND process="start" AND status IN(status, "500", "503", "504"))
| append [|makeresults count=5]
| streamstats count
| eval status=max(500 + count)
| eval time = _time - count
| timechart count(eval(process=="end")) AS endCount per_second(*) BY status

Then the first post-process will be this:
table _* endCount* | rename endCount* AS count*

And the other post-process will take some work...

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2023 11:12 AM

Try something like this

index=myIndex app_name IN (my-app-a, my-app-b) process=end
| timechart span=1h count(eval(match(status, "^[45][0-9]{2}$") AND in(status, "500", "503", "504"))) as error_count count as requests_per_hour
| sort -requests_per_hour
0 Karma
Reply

yk010123
Path Finder
‎04-20-2023 11:40 AM

This will create a single graph, no?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...