Marker Gauge for multiple events in single search

rmsagar · ‎08-18-2015

My search returns a table like below, I would like to have Marker Gauge grouped them as host. Please share your thoughts.

Hostname Appname Util% time
A A1 80 11:00
A A2 75 11:05
B B1 70 11:00
C C1 90 11:10

woodcock · ‎08-20-2015

The Marker Guage visualization expects to be passed a single value and it does not care what the field name is. In order to do this for your 4 hosts, you need to make 4 separate panels which should contain your first search as-is but end like this:

... | search Appname=A1 | fields Until%
... | search Appname=A2 | fields Until%
... | search Appname=A3 | fields Until%
... | search Appname=A4 | fields Until%

Put the rest of the context to explain the Hostname, etc. in the "Title" of each Panel.

Marker Gauge for multiple events in single search

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

Marker Gauge for multiple events in single search

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...