- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine two different searches to displ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine two different searches to display together on the same chart?
Hi Everyone,
I am trying to combine the outputs of two different searches one chart. Presently, I have the Disk Reads/sec and Disk Writes/sec on different charts, but I want the data representation to appear together on the same chart. How can I do this?
SPL below:
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk | stats avg(Value) as Disk__sec_read by host | fields host ] | eval dataValue="latency:" + tostring(round(latency,3)) + "," + "Disk Reads:" + tostring(round(Value,3)) | makemv delim="," allowempty=true dataValue | mvexpand dataValue | eval part=split(dataValue,":") | eval category = Host + ":" + mvindex(part,0) | eval dataPoint = tonumber(mvindex(part,1)) | timechart span=5m latest(dataPoint) by category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for something like this?
They reference that the join and the append will work but give you a better "OR" command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jaredlaney,
I did go that specific link. Just couldn't make sense of the process - still a newbie on Splunk 🙂 Instead , I came-up with this:
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues |timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
But, it doesn't display any output. Any idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might because you use values(). timechart cannot show a field with multiple values. You may change
| timechart span=5s values(readValues) AS Disk_Reads_sec, values(writeValues) AS Disk_Write_sec by host
to
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
use any stats function that return one value only
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@idab - When I have a problem like this, I usually trace back through the command removing piped commands until I see where it is not returning data.
Is this command below returning data? If not, continue to remove piped commands until you find the issue and let me know.
index=perfmon counter="Disk Reads/sec" OR counter="Disk Writes/sec" Host="*" collection=PhysicalDisk instance=_Total |eval readValues = round(Values,2) |eval writeValues = round(Values,2) |fields host counter Value writeValues readValues | table host counter Value writeValues readValues
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jaredlaney,
Yes, the command return some data.But, its doesn't plot together as a chart showing the diskread/sec and diskwrite/sec for each host?what I have in mind is for the graph to display both diskread/sec and diskwrite/sec over time on the same chart. I tried to removing each pipe as suggested to to see if I could get it to appear as a single chart over time - but no joy. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that you are not getting any values for writeValues and readValues. Even if it did return, reads and writes would be munged together. Could you possibly create a calculated field for reads and writes?
Doc for Calculated Reads (UI = Settings->Fields->Calculated fields)
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/definecalcfields
Then run the command suggested by @chanmi2:
| timechart span=5s latest(readValues) AS Disk_Reads_sec, latest(writeValues) AS Disk_Write_sec by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the SPL you gave; is it a failed attempt to combine? What are the 2 searches driving the 2 charts in the image?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search above is the failed attempt to combine. The SPL above will generate the chart as shown when a single counter is used.
For instance :
index=perfmon counter="Disk Reads/sec" Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk..........
index=perfmon counter="Disk Writes/sec Host="*" collection=LogicalDisk [search index=perfmon counter="Disk Reads/sec" Host=megatron collection=PhysicalDisk.............
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
