Splunk Search

How to plot two sets of data in line chart when BOTH is selected?

super_edition
Path Finder

Hello Everyone,

I have dashboard with token value as datacenter, which has 3 options from dropdown:

Dublin ="*dbl_dc_01*"

Singapore= "*sing_dc_01*"

Both = "*"  (this is incorrect for my requirement.. i  know)

Currently I am plotting the line chart graph based on the search when

$datacenter$ Dublin is selected using the below search query:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"

$datacenter$ Singapore is selected:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"

When Both selected - I need that 2 lines to be plotted on that same chart:

From the independent search query, i am able to achieve this using 2 searches with append

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]

super_edition_0-1675243929996.png

How do we get this plotted in the same dashboard when BOTH is selected from drop down

 

Note: $servicename$ value is generated dynamically based on data centre location

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.

Could you please check and confirm if you used the search as it is? Including by openshift_cluster?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

super_edition
Path Finder

Hello @scelikok 

thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition
Path Finder

Hello @scelikok 

When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...