How to create a stacked column timechart with mult...

glitchcowboy · ‎02-19-2015

I'd like this timechart to be stacked with each vertical stack having in/out for each service_desc. Another way to say it would be that

I want three stacks/columns for each time span. Each column will have 2 values : in_kbps and out_kbps. Any hints?

sourcetype=service_perfdata service_desc="traffic-dc-asa-fw-*" 
|rex field=inBandwidth "(?<in_kbps>\d+\.\d+)Kbs"
|rex field=outBandwidth "(?<out_kbps>\d+\.\d+)Kbs" 
|eval in_kbps=in_kbps/1024|eval out_kbps=out_kbps/1024
|timechart avg(in_kbps) avg(out_kbps) by service_desc

ramdaspr · ‎02-19-2015

EDIT: Does not work. It does split them by service_desc but doesnt stack the avgs. Close but no cigar.

Timechart doesnt allow for multi series unfortunately so you have to jump through a few hoops to get this setup. Basing on the docs the below code should do it

sourcetype=service_perfdata service_desc="traffic-dc-asa-fw-*" 
 |rex field=inBandwidth "(?<in_kbps>\d+\.\d+)Kbs"
 |rex field=outBandwidth "(?<out_kbps>\d+\.\d+)Kbs" 
 |eval in_kbps=in_kbps/1024|eval out_kbps=out_kbps/1024
 |stats avg(in_kbps) as AvgIn avg(out_kbps) as AvgOut by _time,service_desc
 | eval merge="in_kbps out_kbps" 
 | makemv merge
 | mvexpand merge
 | eval YAxis=case(merge=="in_kbps", AvgIn,merge=="out_kbps",AvgOut)
 | eval SeriesName=service_desc+":"+merge
 | xyseries _time,SeriesName,YAxis

How to create a stacked column timechart with multiple series?

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?