Splunk Search
Highlighted

How to create a timechart on a dashboard to visualize events using two fields from my data?

Hi

I need help in creating a timechart for visualization of events with multiple fields of interest in a dashboard.
In my events (application server log), I get two fields: TXN_TYPE and TXN_COUNT.

How to create:
1) timechart for the sum of TXNCOUNT from all searched events at any point in time (and not the count of the searched events)
2) Piechart showing sum of TXN
COUNT for each TXN_TYPE
3) timechart having two linegraphs which are unrelated (just need to get timeline view of two unrelated events)

Any help is much appreciated

Thanks In Advance

0 Karma
Highlighted

Re: How to create a timechart on a dashboard to visualize events using two fields from my data?

SplunkTrust
SplunkTrust

It's not clear what you are after, but a timechart of the sum of TXN_COUNT might be:

...my search here ... | timechart sum(TXN_COUNT)

For a pie chart, you'll want a sum by TXN_TYPE but it won't be a timechart because that would time-series it. So, something like

...my search here ... | stats sum(TXN_COUNT) by TXN_TYPE

And lastly, it will likely be a LOT easier to put two unrelated series of data in two separate charts but put them right above or beside one another in a dashboard. This is also good design - if the two really aren't related, putting them in one chart will imply they are. If you really think having it in one chart is the way to go, it might help if you could provide a sample of each kind of event, or even better a search that returns each individual timechart.

Note, there's no reason you can't ... | timechart sum(TXN_COUNT) by TXN_TYPE if that was something you wanted to play with too.

0 Karma
Highlighted

Re: How to create a timechart on a dashboard to visualize events using two fields from my data?

Esteemed Legend

Like this:

1: ... | timechart span=1h sum(TXN_COUNT)
2: ... | chart sum(TXN_COUNT) BY TXN_TYPE
3: index=_* OR index=* | eval lagSegs=_indextime - _time | timechart count avg(lagSecs) BY index
0 Karma
Highlighted

Re: How to create a timechart on a dashboard to visualize events using two fields from my data?

Thanks for the response. I got two of my queries answered.
For the third query, let me give more details of the search. The two unrelated series that I want to display in one timechart are related to the type of data (for example one search looking for message type events and another for file type events). And by showing them together on one graph I can visualize total of all type of those events (message type+file type= all types)
..my search1...giving count of message type events
..my search 2..giving count of file type events

I want to display both type of event counts on same timechart (like two linegraphs). And possibly want to show the sum of these two unrelated values also (one more line graph showing sum of the two other linegraphs).

How to achieve that?
Thanks In Advance

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.