Hi Everyone,
I am trying to combine the outputs of two different searches one chart. Presently, I have the Disk Reads/sec and Disk Writes/sec on different charts, but I want the data representation to appear together on the same chart. How can I do this?
SPL below:
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk | stats avg(Value) as Disk__sec_read by host | fields host ] | eval dataValue="latency:" + tostring(round(latency,3)) + "," + "Disk Reads:" + tostring(round(Value,3)) | makemv delim="," allowempty=true dataValue | mvexpand dataValue | eval part=split(dataValue,":") | eval category = Host + ":" + mvindex(part,0) | eval dataPoint = tonumber(mvindex(part,1)) | timechart span=5m latest(dataPoint) by category
Are you looking for something like this?
They reference that the join and the append will work but give you a better "OR" command.
Hi jaredlaney,
I did go that specific link. Just couldn't make sense of the process - still a newbie on Splunk 🙂 Instead , I came-up with this:
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues |timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
But, it doesn't display any output. Any idea why?
It might because you use values(). timechart cannot show a field with multiple values. You may change
| timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
to
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
use any stats function that return one value only
@idab - When I have a problem like this, I usually trace back through the command removing piped commands until I see where it is not returning data.
Is this command below returning data? If not, continue to remove piped commands until you find the issue and let me know.
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues | table host counter Value writeValues readValues
Hi jaredlaney,
Yes, the command return some data.But, its doesn't plot together as a chart showing the diskread/sec and diskwrite/sec for each host?what I have in mind is for the graph to display both diskread/sec and diskwrite/sec over time on the same chart. I tried to removing each pipe as suggested to to see if I could get it to appear as a single chart over time - but no joy. 😞
It appears that you are not getting any values for writeValues and readValues. Even if it did return, reads and writes would be munged together. Could you possibly create a calculated field for reads and writes?
Doc for Calculated Reads (UI = Settings->Fields->Calculated fields)
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/definecalcfields
Then run the command suggested by @chanmi2:
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
What is the SPL you gave; is it a failed attempt to combine? What are the 2 searches driving the 2 charts in the image?
The search above is the failed attempt to combine. The SPL above will generate the chart as shown when a single counter is used.
For instance :
index=perfmon counter="Disk Reads/sec" Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk..........
index=perfmon counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk.............