Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TimeChart by 2 fields

Gulrez
Engager
‎04-03-2014 12:32 PM

I am trying to create a timechart by 2 fields
Here is what I tried:
source=abc CounterName="\Process(System)\% Processor Time"| timechart span=1h avg(CounterValue) by RoleInstance CounterName

Any idea how this could be achieved?

Tags (1)
Reply

shahab1khan
Engager
‎07-11-2018 09:43 PM

how about

source=abc CounterName="\Process(System)\% Processor Time" | stas count by RoleInstance,CounterName

view the visualization tab to get charts afterwards

0 Karma
Reply

shahab1khan
Engager
‎07-11-2018 09:42 PM

You can use the following and view the visualization tab

|stats count by field1,field2

Reply

asifpasha23
New Member
‎07-09-2015 09:24 AM

span is not working with chart. But I tried something below which works for me
chart perc90(s), count(s) by host

0 Karma
Reply

somesoni2
Revered Legend
‎04-03-2014 12:43 PM

Something like this

source=abc CounterName="\Process(System)\% Processor Time" | eval Role_Counter=RoleInstance + "#" + CounterName| timechart span=1h avg(CounterValue) by Role_Counter
Reply

MuS
SplunkTrust
SplunkTrust
‎04-05-2014 11:14 AM

timechart values(foo) by bar
Is the same like
chart values(foo) over_time by bar
But like linu said chart can have more then one by clause

0 Karma
Reply

rvany
Communicator
‎04-25-2018 01:02 PM

This is an older one - but for reference:

I don't think, that this is completely true. chart can have a and a . It's more flexible than timechart as the can be something other than _time. But you only have these to split-options (I believe, it was the same in 2014 with version 6.0.# or older).

If I'm wrong, just tell me so I can learn more and more...

0 Karma
Reply

linu1988
Champion
‎04-05-2014 12:23 AM

chart does support more fields. why to limit urself with timechart. They almost do the same.

Reply

somesoni2
Revered Legend
‎04-04-2014 06:02 AM

Time chart just work with one field in "by" clause. You can concatenate multiple field into one and use in timechart.

0 Karma
Reply

Gulrez
Engager
‎04-03-2014 03:30 PM

Can we scale this to more than 2 fields?

0 Karma
Reply

linu1988
Champion
‎04-03-2014 01:29 PM

or bucket _time span=1h|chart avg(CounterValue) by RoleInstance,CounterName

Reply

somesoni2
Revered Legend
‎04-03-2014 12:38 PM

You can concat both the fields into one field and do a timechart on that.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...