Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot multiple charts in one report

Shahnoor
Explorer
‎02-02-2024 10:27 AM

Hello, I'm trying to sum by groups (I have 2 groups) and then plot them individually and also the sum. I'm using following script to plot group 1.

| fields inbound_rate outbound_rate HOST
| where HOST like "%location_a%"
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS

This works and sums all the server TPS from location a. Now I have servers in another location (location_b). How can I plot TPS for location a, location b and sum of both?

Thanks.

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-02-2024 01:38 PM

Something like

<your search> host IN (*location_a*, *location_b*)
| fields inbound_rate outbound_rate host
| eval location = if(match(host, "location_a", "location_a", "location_b")) ``` rex is usually more code-economic, split is more efficient, etc ```
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS by location
| addtotals

Note: I assume that HOST (all caps) is the same field as Splunk's essential field host (all lower-case), therefore accessible in your index search.  Filtering in index search is more performant.  If the HOST field is not accessible in index search, you can still use a where clause; it's just less efficient.  Also, there can be many ways to calculate location but I am showing the least efficient method because I have no details about how location is embedded into host values and what regularities they have. (In my organization, for example, location is indicated in a fixed level of domain names, therefore I do not need match or rex.)

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...