Solved: How to join normalized data into a single timechar...

kuali_brandon · ‎07-20-2016

We have normalized data where multiple rows represent a single point in time, but attributes within the row represent the type. For example:

time=1 metric=ReadIOPs Average=0.01
time=1 metric=WriteIOPs Average=0.02

And so forth. There are multiple metric types beyond what is shown here. We would like to have this appear in a single timechart overlayed. We can get it to work in separate time charts by simply doing:

metric_name=ReadIOPs | timechart values(Average) as ReadIOPs

Is it possible to get this to join both Read and Write together into a single timechart?

sundareshr · ‎07-20-2016

Try this

 metric_name=* | chart values(Average) as IOPs over _time by metric_name

View solution in original post

sundareshr · ‎07-20-2016

Try this

 metric_name=* | chart values(Average) as IOPs over _time by metric_name

How to join normalized data into a single timechart?

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Are you a member of the Splunk Community?

How to join normalized data into a single timechart?

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform