Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: One search to create multiple line chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way that we can use a search to create multiple line chart? against the time? I set an interval on 300 seconds and against time, what is the best search commands that we can use ?
time : 1371459878
visibility : 1.73
windBearing : 197
windSpeed : 8.97
cloudCover : 0.97
dewPoint : 70.9
humidity : 0.55
icon : cloudy
ozone : 264.25
precipIntensity : 0
pressure : 1004.23
summary : Overcast
temperature : 90.46
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that you have the fields already extracted, this is one way of doing it. In this case we're charting by _time, which along with first() will work more as a plotting command than an aggregation command, given that there is only one event per _time.
your_base_search | chart first(visibility) first(dewPoint) first(temperature) first(ozone) by _time
You can also use timechart span=xxx stats_command(field) stats_command(field)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that you have the fields already extracted, this is one way of doing it. In this case we're charting by _time, which along with first() will work more as a plotting command than an aggregation command, given that there is only one event per _time.
your_base_search | chart first(visibility) first(dewPoint) first(temperature) first(ozone) by _time
You can also use timechart span=xxx stats_command(field) stats_command(field)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want to use min/max/avg you might want to bucket _time, or use the timechart. Otherwise the values will be the same (guessing you have one event per _time).
Use timechart span=XXX max(Y) avg(Y) min(Y) max(Z) avg(Z) etc, where the span is long enough to ensure that several events get included in the time-slot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given search below, do you have any guidance to improve my search ?
sourcetype="NYPWeatherForecastCurrently" | chart first(current_temperature) max(current_temperature) avg(current_temperature) min(current_temperature) first(current_psi) first(current_humidity) first(current_dewpoint) first(current_visibility) first(current_windSpeed) by _time
time : 1371697655
visibility : 0.3
windBearing : 247
windSpeed : 7.16
psiAverage : 162
cloudCover : 0.38
dewPoint : 72.24
humidity : 0.57
icon : fog
ozone : 268.3
precipIntensity : 0
pressure : 1007.63
summary : Foggy
temperature : 89.95
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
