Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple Values in Charts or Editing Charts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple Values in Charts or Editing Charts
So I'm trying to build a report that shows how many projects were created in the past week per customer and also in the same chart have the average number of projects that are created per customer (year to date). My query for finding out how many projects created in the past week is:
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" OR source="/var/log/apache2/disney_ssl_access.log" OR source="/var/log/apache2/afrl_ssl_access.log" OR source="/var/log/apache2/genmills_ssl_access.log" OR source="/var/log/apache2/mwv_ssl_access.log" OR source="/var/log/apache2/lmco_ssl_access.log" OR source="/var/log/apache2/givaudan_ssl_access.log" AND /projects/create | stats count by source
And my query for finding the average number of projects (per customer) created per week is:
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" AND /projects/create earliest=@y@w | timechart span=1w count as "Projects Created" | eventstats avg("Projects Created") as "Average Projects per Week"
My issue is that when I add other clients to the second query, it just gives me the average of all of them added together, and not individually. How would I get each client individually? And also once that is done how would I add that into the first query so I would have a report showing me each client's number of projects created per week along side the average amount for the year?
Or if what I asked above isn't possible would it be possible to take the first query (which is the number of projects created per week) and then manually add the average number of projects created per week to the chart?
Thanks in advance on any insight into this matter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the second query, try
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" AND /projects/create earliest=@y@w |
timechart span=1w count as "Projects Created" by source |
stats avg("Projects Created") as "Average Projects per Week" by source
Overall solution
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" OR source="/var/log/apache2/disney_ssl_access.log" OR source="/var/log/apache2/afrl_ssl_access.log" OR source="/var/log/apache2/genmills_ssl_access.log" OR source="/var/log/apache2/mwv_ssl_access.log" OR source="/var/log/apache2/lmco_ssl_access.log" OR source="/var/log/apache2/givaudan_ssl_access.log" AND /projects/create
| stats count as y by source | eval series="Created This Week"
| join source [host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" AND /projects/create earliest=@y@w
| timechart span=1w count as "Projects Created" by source
| stats avg("Projects Created") as y by source
| eval series="Average per Week"]
| chart sum(y) as Projects over source by series
I am not 100% sure about this. But the idea is to get two series of data and join them based on a common field (source). Then chart the two series together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try the first query I don't get an error but I don't get any results returned and when I try the second one I just get an error.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
