Splunk Search

How to plot two sets of data in line chart when BOTH is selected?

super_edition
Path Finder

Hello Everyone,

I have dashboard with token value as datacenter, which has 3 options from dropdown:

Dublin ="*dbl_dc_01*"

Singapore= "*sing_dc_01*"

Both = "*"  (this is incorrect for my requirement.. i  know)

Currently I am plotting the line chart graph based on the search when

$datacenter$ Dublin is selected using the below search query:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"

$datacenter$ Singapore is selected:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"

When Both selected - I need that 2 lines to be plotted on that same chart:

From the independent search query, i am able to achieve this using 2 searches with append

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]

super_edition_0-1675243929996.png

How do we get this plotted in the same dashboard when BOTH is selected from drop down

 

Note: $servicename$ value is generated dynamically based on data centre location

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.

Could you please check and confirm if you used the search as it is? Including by openshift_cluster?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

super_edition
Path Finder

Hello @scelikok 

thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition
Path Finder

Hello @scelikok 

When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...