Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create aa chart using xyseries command synt...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahmedkhalil
Communicator
09-22-2015
06:44 AM
Dears,
i would like to create chart that contain two different x axis and one y axis using xyseries command
but i couldn't locate the correct syntax the guide say that correct synatx as below but it's not working for me
xyseries x-fieldname y-name-field y-data-field
ex: xyseries x-host x-ipaddress y-name-sourcetype y-data-value
any help please!
thanks in adavnce
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-22-2015
11:50 AM
It will be a 3 step process, (xyseries will give data with 2 columns x and y).
Step 1) Concatenate your x-host and x-ipaddress into 1 field, say temp
Step 2) Run your xyseries with temp y-name-sourcetype y-data-value.
Step 3) Use Rex/eval-split to separate temp as x=host and x-ipaddress
Sample:
index=_internal | stats count by sourcetype source component | eval temp=source."#".component | xyseries temp sourcetype count
| rex field=temp "(?<source>.*)#(?<component>.*)" | fields - temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-22-2015
11:50 AM
It will be a 3 step process, (xyseries will give data with 2 columns x and y).
Step 1) Concatenate your x-host and x-ipaddress into 1 field, say temp
Step 2) Run your xyseries with temp y-name-sourcetype y-data-value.
Step 3) Use Rex/eval-split to separate temp as x=host and x-ipaddress
Sample:
index=_internal | stats count by sourcetype source component | eval temp=source."#".component | xyseries temp sourcetype count
| rex field=temp "(?<source>.*)#(?<component>.*)" | fields - temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tarun_l
Engager
07-14-2022
06:04 AM
Thanks for your solution - it helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahmedkhalil
Communicator
09-23-2015
01:18 AM
many thanks for your answer
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
