Splunk Search
Highlighted

TimeChart by 2 fields

Engager

I am trying to create a timechart by 2 fields
Here is what I tried:
source=abc CounterName="\Process(System)\% Processor Time"| timechart span=1h avg(CounterValue) by RoleInstance CounterName

Any idea how this could be achieved?

Tags (1)
Highlighted

Re: TimeChart by 2 fields

SplunkTrust
SplunkTrust

You can concat both the fields into one field and do a timechart on that.

Highlighted

Re: TimeChart by 2 fields

SplunkTrust
SplunkTrust

Something like this

source=abc CounterName="\Process(System)\% Processor Time" | eval Role_Counter=RoleInstance + "#" + CounterName| timechart span=1h avg(CounterValue) by Role_Counter
Highlighted

Re: TimeChart by 2 fields

Champion

or bucket _time span=1h|chart avg(CounterValue) by RoleInstance,CounterName

Highlighted

Re: TimeChart by 2 fields

Engager

Can we scale this to more than 2 fields?

0 Karma
Highlighted

Re: TimeChart by 2 fields

SplunkTrust
SplunkTrust

Time chart just work with one field in "by" clause. You can concatenate multiple field into one and use in timechart.

0 Karma
Highlighted

Re: TimeChart by 2 fields

Champion

chart does support more fields. why to limit urself with timechart. They almost do the same.

Highlighted

Re: TimeChart by 2 fields

SplunkTrust
SplunkTrust

timechart values(foo) by bar
Is the same like
chart values(foo) over_time by bar
But like linu said chart can have more then one by clause

0 Karma
Highlighted

Re: TimeChart by 2 fields

Communicator

This is an older one - but for reference:

I don't think, that this is completely true. chart can have a and a . It's more flexible than timechart as the can be something other than _time. But you only have these to split-options (I believe, it was the same in 2014 with version 6.0.# or older).

If I'm wrong, just tell me so I can learn more and more...

0 Karma
Highlighted

Re: TimeChart by 2 fields

New Member

span is not working with chart. But I tried something below which works for me
chart perc90(s), count(s) by host

0 Karma