How to create graphs for two different values of s...

bullriser · ‎07-22-2020

Hello, i have a splunk query like this

index=someindex container_name=app ( cookie=*cookie1" OR cookie="cookie2" ) event=Someevent  | timechart span=1m perc50(latency)

This above query will create one line chart. how can we create two charts one for cookie=cookie1 and the other for cookie=cookie2 in same panel ?

Thanks in advance

bowesmana · ‎07-22-2020

That's a simple split by clause with a bit of handling for the wildcard case cookie1

index=someindex container_name=app ( cookie=*cookie1" OR cookie="cookie2" ) event=Someevent
| rex field=cookie "(?<cookieType>cookie\d)"
| timechart span=1m perc50(latency) by cookieType

The rex statement is looking for the 'cookieX' where X is a digit and creating a new field called cookieType containing either cookie1 or cookie2 and then the by clause will split the result into the two lines on the chart.

If you actually want two charts in the same panel, then select the 'trellis' mode and choose the aggregation, which will give you two separate charts in a panel, with the cookieType on each chart. If you just want two lines in the same chart, ignore the trellis mode

Hope this helps

How to create graphs for two different values of same field?

chart

subsearch

timechart

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?