Splunk Search

Multiple values into seperate timewrap charts

Explorer

I'd like to pass multiple performance counters into the timewrap app so that it produces multiple graphs for analysis. Currently I can only pass one counter to timewrap with a 3 week comparism of that 1 counter for 1 host on a Saturday which is great:

index="perfmon" host="hostname" counter="% Processor Time" earliest=-3w@w latest=@w |timechart avg(Value) span=1h | timewrap w | where strftime(_time,"%A") == "Saturday"

What i'd like to do is pass it say 20 different counters producing 20 different graphs of 3 week comparisms of Saturdays.. how would I do this?

Thanks!

Tags (2)
0 Karma

Motivator

One way would be to use the Sideview Utils multiplexer module, it will do exactly what you are looking for. If you don't already have it, download sideview utils and look at the documentation for multiplexer.

EDIT:

I'm probably using a different verison of Sideview than you are but in my version he has an example that does just what you're looking for, except it's done on the sourcetype field. On my version, it's on the "Using Multiplexer with Pager" page of the Module documentation. In it, there is a search that sets up some preliminary statistics, a post process that gets the unique values of sourcetype that he wants to report on, a multiplexer module that tells multiplexer to multiplex the sourctype field, another post process that creates the timecharts he wants, then an html module and a JSChart module to set the visualizations. you can use this as a model to set up what you're looking for. Here is the relevant example XML:

<!-- EXAMPLE BEGIN -->
<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | bin _time span="1min" | stats sum(kb) as totalKB by series, _time | rename series as sourcetype</param>
    <param name="earliest">-60m</param>
    <param name="latest">now</param>

    <module name="JobProgressIndicator" />

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>
      <param name="charting.legend.placement">none</param>
      <param name="charting.axisTitleX.visibility">collapsed</param>

      <module name="PostProcess">
        <param name="search">dedup sourcetype | sort sourcetype</param>

        <module name="Pager">
          <param name="count">5</param>

          <module name="Multiplexer">
            <param name="field">sourcetype</param>

            <module name="PostProcess">
              <param name="search">search sourcetype="$sourcetype$" | timechart span="1min" max(totalKB) as totalKB</param>

              <module name="HTML">
                <param name="html"><![CDATA[
                  <h2>$sourcetype$</h2>
                ]]></param>
              </module>

              <module name="JSChart">
                <param name="height">150px</param>
                <param name="width">100%</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
  <!-- EXAMPLE END -->
0 Karma

Motivator

Please see the updated answer.

0 Karma

Explorer

Do you mean this part? "Multiplexer:: Multiplexer allows you to custom-render search result rows, and use Splunk and Sideview modules to do that custom rendering. This sounds kind of like nothing at all, but it’s very very amazing. Picture being able to write a dashboard where for EACH row in your search results you can have a graph. Or a graph and a table and some HTML."

0 Karma

Explorer

Thanks for the quick response, how will specifically help?

0 Karma