Splunk Search

How to combine two different searches to display together on the same chart?

idab
Path Finder

Hi Everyone,

I am trying to combine the outputs of two different searches one chart. Presently, I have the Disk Reads/sec and Disk Writes/sec on different charts, but I want the data representation to appear together on the same chart. How can I do this?

SPL below:

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec  Host="*" collection=LogicalDisk  [search index=perfmon counter="Disk Reads/sec"  Host=megatron   collection=PhysicalDisk | stats avg(Value) as Disk__sec_read by host  | fields host ]  | eval dataValue="latency:" + tostring(round(latency,3)) + "," + "Disk Reads:" + tostring(round(Value,3))  | makemv delim="," allowempty=true dataValue  | mvexpand dataValue  | eval part=split(dataValue,":")  | eval category = Host + ":" + mvindex(part,0)  | eval dataPoint = tonumber(mvindex(part,1))  | timechart span=5m latest(dataPoint) by category

http://answers.splunk.com/storage/temp/59228-combine.jpg

Tags (3)

jaredlaney
Contributor

Are you looking for something like this?

http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

They reference that the join and the append will work but give you a better "OR" command.

idab
Path Finder

Hi jaredlaney,
I did go that specific link. Just couldn't make sense of the process - still a newbie on Splunk 🙂 Instead , I came-up with this:

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec"                                                                                                                                       Host="*" collection=PhysicalDisk   instance=_Total                                                                                                                                                       |eval readValues = round(Values,2)                                                                                                                                                                         |eval writeValues = round(Values,2)                                                                                                                                                                       |fields host counter Value  writeValues readValues                                                                                                                                                              |timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host

But, it doesn't display any output. Any idea why?

0 Karma

chanmi2
Path Finder

It might because you use values(). timechart cannot show a field with multiple values. You may change
| timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
to
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
use any stats function that return one value only

0 Karma

jaredlaney
Contributor

@idab - When I have a problem like this, I usually trace back through the command removing piped commands until I see where it is not returning data.

Is this command below returning data? If not, continue to remove piped commands until you find the issue and let me know.

index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues | table host counter Value writeValues readValues

idab
Path Finder

Hi jaredlaney,
Yes, the command return some data.But, its doesn't plot together as a chart showing the diskread/sec and diskwrite/sec for each host?what I have in mind is for the graph to display both diskread/sec and diskwrite/sec over time on the same chart. I tried to removing each pipe as suggested to to see if I could get it to appear as a single chart over time - but no joy. 😞

0 Karma

jaredlaney
Contributor

It appears that you are not getting any values for writeValues and readValues. Even if it did return, reads and writes would be munged together. Could you possibly create a calculated field for reads and writes?

Doc for Calculated Reads (UI = Settings->Fields->Calculated fields)
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/definecalcfields

Then run the command suggested by @chanmi2:
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host

0 Karma

woodcock
Esteemed Legend

What is the SPL you gave; is it a failed attempt to combine? What are the 2 searches driving the 2 charts in the image?

0 Karma

idab
Path Finder

The search above is the failed attempt to combine. The SPL above will generate the chart as shown when a single counter is used.

For instance :
index=perfmon counter="Disk Reads/sec" Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk..........

index=perfmon counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk.............

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!