Splunk Search

How to combine two different searches to display together on the same chart?

idab
Path Finder

Hi Everyone,

I am trying to combine the outputs of two different searches one chart. Presently, I have the Disk Reads/sec and Disk Writes/sec on different charts, but I want the data representation to appear together on the same chart. How can I do this?

SPL below:

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec  Host="*" collection=LogicalDisk  [search index=perfmon counter="Disk Reads/sec"  Host=megatron   collection=PhysicalDisk | stats avg(Value) as Disk__sec_read by host  | fields host ]  | eval dataValue="latency:" + tostring(round(latency,3)) + "," + "Disk Reads:" + tostring(round(Value,3))  | makemv delim="," allowempty=true dataValue  | mvexpand dataValue  | eval part=split(dataValue,":")  | eval category = Host + ":" + mvindex(part,0)  | eval dataPoint = tonumber(mvindex(part,1))  | timechart span=5m latest(dataPoint) by category

http://answers.splunk.com/storage/temp/59228-combine.jpg

Tags (3)

jaredlaney
Contributor

Are you looking for something like this?

http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

They reference that the join and the append will work but give you a better "OR" command.

idab
Path Finder

Hi jaredlaney,
I did go that specific link. Just couldn't make sense of the process - still a newbie on Splunk 🙂 Instead , I came-up with this:

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec"                                                                                                                                       Host="*" collection=PhysicalDisk   instance=_Total                                                                                                                                                       |eval readValues = round(Values,2)                                                                                                                                                                         |eval writeValues = round(Values,2)                                                                                                                                                                       |fields host counter Value  writeValues readValues                                                                                                                                                              |timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host

But, it doesn't display any output. Any idea why?

0 Karma

chanmi2
Path Finder

It might because you use values(). timechart cannot show a field with multiple values. You may change
| timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
to
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
use any stats function that return one value only

0 Karma

jaredlaney
Contributor

@idab - When I have a problem like this, I usually trace back through the command removing piped commands until I see where it is not returning data.

Is this command below returning data? If not, continue to remove piped commands until you find the issue and let me know.

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues | table host counter Value writeValues readValues

idab
Path Finder

Hi jaredlaney,
Yes, the command return some data.But, its doesn't plot together as a chart showing the diskread/sec and diskwrite/sec for each host?what I have in mind is for the graph to display both diskread/sec and diskwrite/sec over time on the same chart. I tried to removing each pipe as suggested to to see if I could get it to appear as a single chart over time - but no joy. 😞

0 Karma

jaredlaney
Contributor

It appears that you are not getting any values for writeValues and readValues. Even if it did return, reads and writes would be munged together. Could you possibly create a calculated field for reads and writes?

Doc for Calculated Reads (UI = Settings->Fields->Calculated fields)
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/definecalcfields

Then run the command suggested by @chanmi2:
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host

0 Karma

woodcock
Esteemed Legend

What is the SPL you gave; is it a failed attempt to combine? What are the 2 searches driving the 2 charts in the image?

0 Karma

idab
Path Finder

The search above is the failed attempt to combine. The SPL above will generate the chart as shown when a single counter is used.

For instance :
index=perfmon counter="Disk Reads/sec" Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk..........

index=perfmon counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk.............

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...