Splunk Search

Timechart Different Color Line

skoelpin
SplunkTrust
SplunkTrust

I have 7 web service calls which have varying response times. I have a timechart (LINE) ranging from 00:00 to 24:00, I would like to plot each web service call on that timechart but have a different color line for each web service call so I can compare them.

Is there an app I can use or is there a way to plot all 7 calls with a different color line at search time?

Tags (3)
0 Karma
1 Solution

jtrucks
Splunk Employee
Splunk Employee

Most likely all you need to do is something like this:

your search to get events with each of your seven web calls like (webcallfield=1 OR webcallfield=2 OR ... webcallfield=7) | timechart count(webcallfield=1) AS ServiceCall1, count(webcallfield=2) AS ServiceCall2, count(webcallfield=3) AS ServiceCall3, count(webcallfield=4) AS ServiceCall4, count(webcallfield=5) AS ServiceCall5, count(webcallfield=6) AS ServiceCall6, count(webcallfield=7) AS ServiceCall7
--
Jesse Trucks
Minister of Magic

View solution in original post

Raghav2384
Motivator
Not sure if this what you're looking for

Just add the following with color codes in simple xml some where in the chart stanza .

<option name="charting.seriesColors">[0x4C0000,0xXXXXXX,...........,0xZZZZZZ]</option>

That should assign color to each line but it's dynamic...can't say which metric gets which color.

Hope this helps!
Thanks,
Raghav
0 Karma

jtrucks
Splunk Employee
Splunk Employee

This only works if there are multiple results on the chart, not a single line. In those cases, the colors ARE different. Your method can choose the color set used, but it has nothing to do with the search producing multiple results.

--
Jesse Trucks
Minister of Magic
0 Karma

Raghav2384
Motivator

Agree....read the question incorrect. I thought he's looking standard colors to pick from....apologize for going tangents

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Most likely all you need to do is something like this:

your search to get events with each of your seven web calls like (webcallfield=1 OR webcallfield=2 OR ... webcallfield=7) | timechart count(webcallfield=1) AS ServiceCall1, count(webcallfield=2) AS ServiceCall2, count(webcallfield=3) AS ServiceCall3, count(webcallfield=4) AS ServiceCall4, count(webcallfield=5) AS ServiceCall5, count(webcallfield=6) AS ServiceCall6, count(webcallfield=7) AS ServiceCall7
--
Jesse Trucks
Minister of Magic

jtrucks
Splunk Employee
Splunk Employee

Change your timechart to:

... | timechart avg(duration) AS "Response Time" by RTG_Call
--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

This does work BUT RTG_Call accounts for both request and response. So I'm getting 2 identical lines for each call. So for 8 web service calls, I'm getting 16 lines. Any idea on how I can exclude the dups?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I didn't see the first reply you posted. Can you please elaborate more on the (webcallfield=1 etc..?).. Currently, I have it set up like RTG_Call="<GetDeliverySchedule*"and now taking your suggestion, how should I format this? Would it be like this?

(RTG_Call="<GetDeliverySchedule*") = 1 or (RTG_Call="<GetProductAvailability*") = 2)
0 Karma

jtrucks
Splunk Employee
Splunk Employee

No, I didn't have your search string that produced your results, so it was an example of different web calls. Your search should work perfectly fine. To translate, where I was using an arbitrary name of webcallfield you used your real field name of RTG_Call.

--
Jesse Trucks
Minister of Magic
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Try adding:

... | dedup RTG_Call

To the end.

--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I added this and nothing is coming back

| timechart avg(duration) AS "Response Time" by RTG_Call | dedup RTG_call
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Hrm. Perhaps place the dedup before timechart.

--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I just tried this and it excluded all my data except for one line but kept the dupes in calls (request and response for each call). I think this will work if I get the example you posted above working. I currently have RTG_Call="<GetDeliverySchedule*"but how should I format this? You say I can set each call = 1,2 etc.. but this would mean that it has 2 equal signs in it which would mess it up. How should I format this?

Would it be like this?

... | timechart ((RTG_Call="<GetDeliverySchedule*") =1 ) AS DeliverySchedule1 
0 Karma

jtrucks
Splunk Employee
Splunk Employee

In your search, you have RTG_Call="GetDeliverySchedule*". Does that mean there are two values that match due to the * at the end? Is this why you have 16 items not 8?

--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes correct, when I did the extraction, RTG_Call picks up the request and response. So when I use RTG_Call="GetDeliverySchedule*"this means the request and response.

GetDeliverySchedule is the request and GetDeliveryScheduleResponse is our response. So using a star (*) after GetDeliverySchedule would allow us to get both. In this case when I graph it, the request and response have identical response times, so would there be anyway to just exclude the responses?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Could I do a NOT GetDeliverySchedule* somewhere in my search to get rid of the dupes?

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Try this (I just tested it with a similar search):

... | where NOT match(RTG_Call,"Response$")

That will remove the events with *Response at the end. If you want to keep those and not the others, remove the NOT.

--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm trying it with 2 web services for simplification and if it works then I'll include all the other ones. I just tried your suggestion and unfortunatly still getting the responses. Below is my search

index=unleashed RTG_Call="<GetDeliverySchedule*" OR RTG_Call="<GetProductAvailability*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) AS Response by RTG_Call | where NOT match(RTG_Call,"Response$")
0 Karma

jtrucks
Splunk Employee
Splunk Employee

No, my example was a fictitious search to find fields that could be acted upon.

--
Jesse Trucks
Minister of Magic
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Please post the search you are using to produce your chart if you want more specific help than my answer below.

--
Jesse Trucks
Minister of Magic
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I've included 8 calls and grouped them together using a GUID which is a unique identifier for the request and response. There will only be 2 of the same GUID's, one attached to the request and the other attached to the response so we're able to tie together the request and response. This provides a good timechart of the response times, but only gives ones line of the average response time across all calls. I need to split the calls up and let them have their own line.

index=unleashed RTG_Call="GetDeliverySchedule*" OR RTG_Call="GetProductAvailability*" OR RTG_Call="GetRelatedOrder*" OR RTG_Call="CreateOrder*" OR RTG_Call="MultiFindInShowroom*" OR RTG_Call="InqGeAuthorization*" OR RTG_Call="InqTdrsAuthorization*" OR RTG_Call="GetOrder*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) AS "Response Time"
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...