Splunk Search

Multiple values into seperate timewrap charts

mtmoore
Explorer

I'd like to pass multiple performance counters into the timewrap app so that it produces multiple graphs for analysis. Currently I can only pass one counter to timewrap with a 3 week comparism of that 1 counter for 1 host on a Saturday which is great:

index="perfmon" host="hostname" counter="% Processor Time" earliest=-3w@w latest=@w |timechart avg(Value) span=1h | timewrap w | where strftime(_time,"%A") == "Saturday"

What i'd like to do is pass it say 20 different counters producing 20 different graphs of 3 week comparisms of Saturdays.. how would I do this?

Thanks!

Tags (2)
0 Karma

wpreston
Motivator

One way would be to use the Sideview Utils multiplexer module, it will do exactly what you are looking for. If you don't already have it, download sideview utils and look at the documentation for multiplexer.

EDIT:

I'm probably using a different verison of Sideview than you are but in my version he has an example that does just what you're looking for, except it's done on the sourcetype field. On my version, it's on the "Using Multiplexer with Pager" page of the Module documentation. In it, there is a search that sets up some preliminary statistics, a post process that gets the unique values of sourcetype that he wants to report on, a multiplexer module that tells multiplexer to multiplex the sourctype field, another post process that creates the timecharts he wants, then an html module and a JSChart module to set the visualizations. you can use this as a model to set up what you're looking for. Here is the relevant example XML:

<!-- EXAMPLE BEGIN -->
<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | bin _time span="1min" | stats sum(kb) as totalKB by series, _time | rename series as sourcetype</param>
    <param name="earliest">-60m</param>
    <param name="latest">now</param>

    <module name="JobProgressIndicator" />

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>
      <param name="charting.legend.placement">none</param>
      <param name="charting.axisTitleX.visibility">collapsed</param>

      <module name="PostProcess">
        <param name="search">dedup sourcetype | sort sourcetype</param>

        <module name="Pager">
          <param name="count">5</param>

          <module name="Multiplexer">
            <param name="field">sourcetype</param>

            <module name="PostProcess">
              <param name="search">search sourcetype="$sourcetype$" | timechart span="1min" max(totalKB) as totalKB</param>

              <module name="HTML">
                <param name="html"><![CDATA[
                  <h2>$sourcetype$</h2>
                ]]></param>
              </module>

              <module name="JSChart">
                <param name="height">150px</param>
                <param name="width">100%</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
  <!-- EXAMPLE END -->
0 Karma

wpreston
Motivator

Please see the updated answer.

0 Karma

mtmoore
Explorer

Do you mean this part? "Multiplexer:: Multiplexer allows you to custom-render search result rows, and use Splunk and Sideview modules to do that custom rendering. This sounds kind of like nothing at all, but it’s very very amazing. Picture being able to write a dashboard where for EACH row in your search results you can have a graph. Or a graph and a table and some HTML."

0 Karma

mtmoore
Explorer

Thanks for the quick response, how will specifically help?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...