Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create graphs for two different values of same field?

bullriser
New Member
‎07-22-2020 06:50 PM

Hello, i have a splunk query like this 

index=someindex container_name=app ( cookie=*cookie1" OR cookie="cookie2" ) event=Someevent  | timechart span=1m perc50(latency)

This above query will create one line chart. how can we create two charts one for cookie=cookie1 and the other for cookie=cookie2 in same panel ?

Thanks in advance

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-22-2020 09:01 PM

That's a simple split by clause with a bit of handling for the wildcard case cookie1

 

index=someindex container_name=app ( cookie=*cookie1" OR cookie="cookie2" ) event=Someevent
| rex field=cookie "(?<cookieType>cookie\d)"
| timechart span=1m perc50(latency) by cookieType

 

The rex statement is looking for the 'cookieX' where X is a digit and creating a new field called cookieType containing either cookie1 or cookie2 and then the by clause will split the result into the two lines on the chart.

If you actually want two charts in the same panel, then select the 'trellis' mode and choose the aggregation, which will give you two separate charts in a panel, with the cookieType on each chart. If you just want two lines in the same chart, ignore the trellis mode

Hope this helps

 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...