Splunk Search

How to plot two sets of data in line chart when BOTH is selected?

super_edition
Path Finder

Hello Everyone,

I have dashboard with token value as datacenter, which has 3 options from dropdown:

Dublin ="*dbl_dc_01*"

Singapore= "*sing_dc_01*"

Both = "*"  (this is incorrect for my requirement.. i  know)

Currently I am plotting the line chart graph based on the search when

$datacenter$ Dublin is selected using the below search query:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"

$datacenter$ Singapore is selected:

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"

When Both selected - I need that 2 lines to be plotted on that same chart:

From the independent search query, i am able to achieve this using 2 searches with append

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]

super_edition_0-1675243929996.png

How do we get this plotted in the same dashboard when BOTH is selected from drop down

 

Note: $servicename$ value is generated dynamically based on data centre location

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.

Could you please check and confirm if you used the search as it is? Including by openshift_cluster?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

super_edition
Path Finder

Hello @scelikok 

thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @super_edition,

Could you please try something like below?

(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$ 
| search "message.logType"=CLIENT_REQ 
| search "message.url"="$servicename$" 
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
If this reply helps you an upvote and "Accept as Solution" is appreciated.

super_edition
Path Finder

Hello @scelikok 

When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...