Splunk Search

How to plot two sets of data in line chart when BOTH is selected?

super_edition
Path Finder

Hello Everyone,

I have dashboard with token value as datacenter, which has 3 options from dropdown:

Dublin ="*dbl_dc_01*"

Singapore= "*sing_dc_01*"

Both = "*"  (this is incorrect for my requirement.. i  know)

Currently I am plotting the line chart graph based on the search when

$datacenter$ Dublin is selected using the below search query:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"

$datacenter$ Singapore is selected:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"

When Both selected - I need that 2 lines to be plotted on that same chart:

From the independent search query, i am able to achieve this using 2 searches with append

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]

super_edition_0-1675243929996.png

How do we get this plotted in the same dashboard when BOTH is selected from drop down

 

Note: $servicename$ value is generated dynamically based on data centre location

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.

Could you please check and confirm if you used the search as it is? Including by openshift_cluster?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

super_edition
Path Finder

Hello @scelikok 

thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition
Path Finder

Hello @scelikok 

When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...