How to create a stacked column timechart with mult...

glitchcowboy · ‎02-19-2015

I'd like this timechart to be stacked with each vertical stack having in/out for each service_desc. Another way to say it would be that

I want three stacks/columns for each time span. Each column will have 2 values : in_kbps and out_kbps. Any hints?

sourcetype=service_perfdata service_desc="traffic-dc-asa-fw-*" 
|rex field=inBandwidth "(?<in_kbps>\d+\.\d+)Kbs"
|rex field=outBandwidth "(?<out_kbps>\d+\.\d+)Kbs" 
|eval in_kbps=in_kbps/1024|eval out_kbps=out_kbps/1024
|timechart avg(in_kbps) avg(out_kbps) by service_desc

ramdaspr · ‎02-19-2015

EDIT: Does not work. It does split them by service_desc but doesnt stack the avgs. Close but no cigar.

Timechart doesnt allow for multi series unfortunately so you have to jump through a few hoops to get this setup. Basing on the docs the below code should do it

sourcetype=service_perfdata service_desc="traffic-dc-asa-fw-*" 
 |rex field=inBandwidth "(?<in_kbps>\d+\.\d+)Kbs"
 |rex field=outBandwidth "(?<out_kbps>\d+\.\d+)Kbs" 
 |eval in_kbps=in_kbps/1024|eval out_kbps=out_kbps/1024
 |stats avg(in_kbps) as AvgIn avg(out_kbps) as AvgOut by _time,service_desc
 | eval merge="in_kbps out_kbps" 
 | makemv merge
 | mvexpand merge
 | eval YAxis=case(merge=="in_kbps", AvgIn,merge=="out_kbps",AvgOut)
 | eval SeriesName=service_desc+":"+merge
 | xyseries _time,SeriesName,YAxis

How to create a stacked column timechart with multiple series?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How to create a stacked column timechart with multiple series?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside