Splunk Search

How to create a timechart on a dashboard to visualize events using two fields from my data?



I need help in creating a timechart for visualization of events with multiple fields of interest in a dashboard.
In my events (application server log), I get two fields: TXN_TYPE and TXN_COUNT.

How to create:
1) timechart for the sum of TXN_COUNT from all searched events at any point in time (and not the count of the searched events)
2) Piechart showing sum of TXN_COUNT for each TXN_TYPE
3) timechart having two linegraphs which are unrelated (just need to get timeline view of two unrelated events)

Any help is much appreciated

Thanks In Advance

0 Karma

Esteemed Legend

Like this:

1: ... | timechart span=1h sum(TXN_COUNT)
2: ... | chart sum(TXN_COUNT) BY TXN_TYPE
3: index=_* OR index=* | eval lagSegs=_indextime - _time | timechart count avg(lagSecs) BY index
0 Karma


Thanks for the response. I got two of my queries answered.
For the third query, let me give more details of the search. The two unrelated series that I want to display in one timechart are related to the type of data (for example one search looking for message type events and another for file type events). And by showing them together on one graph I can visualize total of all type of those events (message type+file type= all types)
..my search1...giving count of message type events
..my search 2..giving count of file type events

I want to display both type of event counts on same timechart (like two linegraphs). And possibly want to show the sum of these two unrelated values also (one more line graph showing sum of the two other linegraphs).

How to achieve that?
Thanks In Advance

0 Karma


It's not clear what you are after, but a timechart of the sum of TXN_COUNT might be:

...my search here ... | timechart sum(TXN_COUNT)

For a pie chart, you'll want a sum by TXN_TYPE but it won't be a timechart because that would time-series it. So, something like

...my search here ... | stats sum(TXN_COUNT) by TXN_TYPE

And lastly, it will likely be a LOT easier to put two unrelated series of data in two separate charts but put them right above or beside one another in a dashboard. This is also good design - if the two really aren't related, putting them in one chart will imply they are. If you really think having it in one chart is the way to go, it might help if you could provide a sample of each kind of event, or even better a search that returns each individual timechart.

Note, there's no reason you can't ... | timechart sum(TXN_COUNT) by TXN_TYPE if that was something you wanted to play with too.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...