Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I fix my double timechart graphs?

netanelm7
Path Finder
‎10-13-2017 12:39 PM

I want to see 2 timecharts that each 1 contains different counter

my search is:
source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart sum(MB_Used) by instance useother=f | append [search counter="Working Set Peak" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart span=1m avg(MB_Used) useother=f by instance]

With the append command I managed to add the timecharts together but I see them with the same name and the graphs look awkward (the 2 timecharts have the same name so it shows them awkwardly).
Do you have any idea?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jfraiberg
Communicator
‎10-13-2017 01:45 PM

add this to the end of your 2nd search - "| rename instance AS instance2"

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎10-13-2017 03:16 PM

@netanelm7 - How do you want this to look? What is the relationship of the two things you are calculating?

0 Karma
Reply
Solved! Jump to solution

netanelm7
Path Finder
‎10-13-2017 03:30 PM

they are both counters of the same instance, i want to see 2 counters for each instance if i do "timechart by instance"

0 Karma
Reply
Solved! Jump to solution

netanelm7
Path Finder
‎10-13-2017 03:10 PM

Thank you!!
If im doing a timechart with "by instance", i will have to rename every instance so it wont have the same name?

0 Karma
Reply
Solved! Jump to solution

jfraiberg
Communicator
‎10-13-2017 04:27 PM

no, you are only renaming the name of the field, not the values.

0 Karma
Reply
Solved! Jump to solution

netanelm7
Path Finder
‎10-13-2017 04:33 PM

Yeah but i see each instance in the first line of each column, which means every instance is a field right?

0 Karma
Reply
Solved! Jump to solution

jfraiberg
Communicator
‎10-13-2017 06:18 PM

I am sorry, I totally misunderstood. Try this:

source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart sum(MB_Used) AS mb_private_bytes by instance useother=f

| appendcols [search counter="Working Set Peak" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart span=1m avg(MB_Used) AS mb_working_set_peak useother=f by instance]

0 Karma
Reply
Solved! Jump to solution

netanelm7
Path Finder
‎10-14-2017 04:38 AM

Not working, still showing me 1 column named "chrome"

0 Karma
Reply
Solved! Jump to solution

jfraiberg
Communicator
‎10-14-2017 08:15 AM

hmm, that should give you 2 columns, one called mb_private_bytes and one called mb_working_set_peak with chrome as the instance. Is that not what you are seeing?

What happens if you change the chart format to "multi series mode"?

0 Karma
Reply
Solved! Jump to solution

jfraiberg
Communicator
‎10-14-2017 08:17 AM

or you can keep it as column, but go to "overlay" and chose one of the values..

0 Karma
Reply
Solved! Jump to solution
Solution

jfraiberg
Communicator
‎10-13-2017 01:45 PM

add this to the end of your 2nd search - "| rename instance AS instance2"

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...