Solved: How to plot two sets of data in line chart when BO...

super_edition · ‎02-01-2023

Hello Everyone,

I have dashboard with token value as datacenter, which has 3 options from dropdown:

Dublin ="*dbl_dc_01*"

Singapore= "*sing_dc_01*"

Both = "*" (this is incorrect for my requirement.. i know)

Currently I am plotting the line chart graph based on the search when

$datacenter$ Dublin is selected using the below search query:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"

$datacenter$ Singapore is selected:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"

When Both selected - I need that 2 lines to be plotted on that same chart:

From the independent search query, i am able to achieve this using 2 searches with append

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]

How do we get this plotted in the same dashboard when BOTH is selected from drop down

Note: $servicename$ value is generated dynamically based on data centre location

scelikok · ‎02-01-2023

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎02-01-2023

Hi @super_edition,

Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.

Could you please check and confirm if you used the search as it is? Including by openshift_cluster?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition · ‎02-02-2023

Hello @scelikok

thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.

scelikok · ‎02-01-2023

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster

If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition · ‎02-01-2023

Hello @scelikok

When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown

How to plot two sets of data in line chart when BOTH is selected?

chart

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?