Splunk Search

How can I fix my double timechart graphs?

netanelm7
Path Finder

I want to see 2 timecharts that each 1 contains different counter

my search is:
source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart sum(MB_Used) by instance useother=f | append [search counter="Working Set Peak" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart span=1m avg(MB_Used) useother=f by instance]

With the append command I managed to add the timecharts together but I see them with the same name and the graphs look awkward (the 2 timecharts have the same name so it shows them awkwardly).
Do you have any idea?

0 Karma
1 Solution

jfraiberg
Communicator

add this to the end of your 2nd search - "| rename instance AS instance2"

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

@netanelm7 - How do you want this to look? What is the relationship of the two things you are calculating?

0 Karma

netanelm7
Path Finder

they are both counters of the same instance, i want to see 2 counters for each instance if i do "timechart by instance"

0 Karma

netanelm7
Path Finder

Thank you!!
If im doing a timechart with "by instance", i will have to rename every instance so it wont have the same name?

0 Karma

jfraiberg
Communicator

no, you are only renaming the name of the field, not the values.

0 Karma

netanelm7
Path Finder

Yeah but i see each instance in the first line of each column, which means every instance is a field right?

0 Karma

jfraiberg
Communicator

I am sorry, I totally misunderstood. Try this:

source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart sum(MB_Used) AS mb_private_bytes by instance useother=f

| appendcols [search counter="Working Set Peak" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart span=1m avg(MB_Used) AS mb_working_set_peak useother=f by instance]

0 Karma

netanelm7
Path Finder

Not working, still showing me 1 column named "chrome"

0 Karma

jfraiberg
Communicator

hmm, that should give you 2 columns, one called mb_private_bytes and one called mb_working_set_peak with chrome as the instance. Is that not what you are seeing?

What happens if you change the chart format to "multi series mode"?

0 Karma

jfraiberg
Communicator

or you can keep it as column, but go to "overlay" and chose one of the values..

0 Karma

jfraiberg
Communicator

add this to the end of your 2nd search - "| rename instance AS instance2"

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...