Hello Splunkers,
While working on charting the max concurrent usage of the wifi services in a department of my company, I fell on a small problem. I have two different hotspot names and I am trying to chart the max concurrency of both on the same stacked column chart to give visibility on which one is being used more.
Charting them one at a time works wells by doing the following :
index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency)
And
index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency)
This uses up two panels/searches, so I want to have both results on the same chart. To do that, I used the following command :
index=wifi HotspotName="First" OR HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) by HotspotName
The thing is that in this case, both HotspotName are being displayed with the same value for concurrency. I'm guessing that's normal behavior for concurrency since at no point the concurrency is being split between both hotspots. So my question is, what can I do to make the timechart split the values of concurrency based on the hotspots and not simply show the same value for both.
Hope you guys can help!
Regards,
David
Just append the searches like this:
index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]
Just append the searches like this:
index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]
Thanks a lot Woodcock ! always here to give helpful answers 🙂 This charts both correct values on the same chart . Is there way to have them superpose them ? because i'm getting the charts chained one after the other.
Ended up using transaction command on _time to regroup both values 😄
Or add `| sort 0 _time'
Yeah it works too 😄 although when i try to eval a total and chart it along with the other lines it doesn't seem to work with the sort. Only works with transaction. Any idea why ?
You cannot sort
by a field that you have caused to be dropped ( _time
).
I'm assuming that your second query should have
HotspotName="Second"
and not
HotspotName="First"
?
lol copy/paste ^^ thanks man, fixed it 🙂