Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot multiple charts in one report

Shahnoor
Explorer
‎02-02-2024 10:27 AM

Hello, I'm trying to sum by groups (I have 2 groups) and then plot them individually and also the sum. I'm using following script to plot group 1.

| fields inbound_rate outbound_rate HOST
| where HOST like "%location_a%"
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS

This works and sums all the server TPS from location a. Now I have servers in another location (location_b). How can I plot TPS for location a, location b and sum of both?

Thanks.

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-02-2024 01:38 PM

Something like

<your search> host IN (*location_a*, *location_b*)
| fields inbound_rate outbound_rate host
| eval location = if(match(host, "location_a", "location_a", "location_b")) ``` rex is usually more code-economic, split is more efficient, etc ```
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS by location
| addtotals

Note: I assume that HOST (all caps) is the same field as Splunk's essential field host (all lower-case), therefore accessible in your index search.  Filtering in index search is more performant.  If the HOST field is not accessible in index search, you can still use a where clause; it's just less efficient.  Also, there can be many ways to calculate location but I am showing the least efficient method because I have no details about how location is embedded into host values and what regularities they have. (In my organization, for example, location is indicated in a fixed level of domain names, therefore I do not need match or rex.)

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...