Solved: Line graph by instance and time

danroberts · ‎11-15-2023

Hello,

I have the below Splunk search and I want to put the results into a line graph so I can compare all of the disk instances e.g. C, D , F over a period of time.

The search that I am using is:

index=windows_perfmon eventtype="perfmon_windows" Host="XXXX" object="LogicalDisk" counter="% Disk Write Time" instance="*" AND NOT instance=_Total AND NOT instance=Hard* | stats latest(Value) as Value by _time, instance | eval Value=round(Value, 2)

Any advise as I would like to create this in a line graph visualisation with the instances on different lines so you can do trend analysis on the Disk Write Time.

The results I am getting are:

_time instance value

2023-11-15 15:28:02	C:	2.83
2023-11-15 15:28:02	D :	0.01
2023-11-15 15:33:02	C:	4.10
2023-11-15 15:33:02	😧	0.01
2023-11-15 15:38:02	C:	2.59
2023-11-15 15:38:02	😧	0.01
2023-11-15 15:43:02	C:	1.98
2023-11-15 15:43:02	😧	0.01
2023-11-15 15:48:02	C:	2.81
2023-11-15 15:48:02	😧	0.01
2023-11-15 15:53:02	C:	2.51
2023-11-15 15:53:02	😧	0.01

bowesmana · ‎11-15-2023

Use timechart

index=windows_perfmon eventtype="perfmon_windows" Host="XXXX" object="LogicalDisk" counter="% Disk Write Time" instance="*" AND NOT instance=_Total AND NOT instance=Hard* 
| timechart latest(Value) as Value by instance 
| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>', 2) ]

View solution in original post

bowesmana · ‎11-15-2023

Use timechart

index=windows_perfmon eventtype="perfmon_windows" Host="XXXX" object="LogicalDisk" counter="% Disk Write Time" instance="*" AND NOT instance=_Total AND NOT instance=Hard* 
| timechart latest(Value) as Value by instance 
| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>', 2) ]

Line graph by instance and time

chart

count

stats

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!