Splunk Search

How to create a timechart on a dashboard to visualize events using two fields from my data?

SplunkNoviceUse
Explorer

Hi

I need help in creating a timechart for visualization of events with multiple fields of interest in a dashboard.
In my events (application server log), I get two fields: TXN_TYPE and TXN_COUNT.

How to create:
1) timechart for the sum of TXN_COUNT from all searched events at any point in time (and not the count of the searched events)
2) Piechart showing sum of TXN_COUNT for each TXN_TYPE
3) timechart having two linegraphs which are unrelated (just need to get timeline view of two unrelated events)

Any help is much appreciated

Thanks In Advance

0 Karma

woodcock
Esteemed Legend

Like this:

1: ... | timechart span=1h sum(TXN_COUNT)
2: ... | chart sum(TXN_COUNT) BY TXN_TYPE
3: index=_* OR index=* | eval lagSegs=_indextime - _time | timechart count avg(lagSecs) BY index
0 Karma

SplunkNoviceUse
Explorer

Thanks for the response. I got two of my queries answered.
For the third query, let me give more details of the search. The two unrelated series that I want to display in one timechart are related to the type of data (for example one search looking for message type events and another for file type events). And by showing them together on one graph I can visualize total of all type of those events (message type+file type= all types)
..my search1...giving count of message type events
..my search 2..giving count of file type events

I want to display both type of event counts on same timechart (like two linegraphs). And possibly want to show the sum of these two unrelated values also (one more line graph showing sum of the two other linegraphs).

How to achieve that?
Thanks In Advance

0 Karma

Richfez
SplunkTrust
SplunkTrust

It's not clear what you are after, but a timechart of the sum of TXN_COUNT might be:

...my search here ... | timechart sum(TXN_COUNT)

For a pie chart, you'll want a sum by TXN_TYPE but it won't be a timechart because that would time-series it. So, something like

...my search here ... | stats sum(TXN_COUNT) by TXN_TYPE

And lastly, it will likely be a LOT easier to put two unrelated series of data in two separate charts but put them right above or beside one another in a dashboard. This is also good design - if the two really aren't related, putting them in one chart will imply they are. If you really think having it in one chart is the way to go, it might help if you could provide a sample of each kind of event, or even better a search that returns each individual timechart.

Note, there's no reason you can't ... | timechart sum(TXN_COUNT) by TXN_TYPE if that was something you wanted to play with too.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...