Splunk Search

Trellis Display of two values?

mfrost8
Builder

I am currently using a trellis layout successfully for a timechart. These show activity today. I'm interested in having yesterday's activity overlaid on top of today's activity. I can successfully do this with a separate, non-trellis panel (i.e. only a single value instead of a split-by clause in timechart), but when I try to do it in a trellis it just doesn't work. It will only display one of the values.

index=foo sourcetype=bar tag=biz earliest=-1d@d 
| addtotals 
| eval startToday = relative_time(now(),"@d") 
| eval startTodayHR=strftime(startToday, "%c") 
| eval startYesterday = relative_time(now(),"-1d@d") 
| eval startYesterdayHR = strftime(startYesterday, "%c") 
| eval marker = case(_time >= startToday, "Today", _time >=startYesterday,"Yesterday", 1=1,"Outside Range") 
| where marker != "Outside Range" 
| eval _time = case(marker="Today",_time, marker="Yesterday",_time+86400) 
| eval db=upper(host) 
| timechart fixedrange=f avg(Total) by db

will get me

alt text

If I try to split solely by 'marker' (the field that indicates today vs yesterday), I get what I'd expect there too.

 index=foo sourcetype=bar tag=biz earliest=-1d@d 
| addtotals 
| eval startToday = relative_time(now(),"@d") 
| eval startTodayHR=strftime(startToday, "%c") 
| eval startYesterday = relative_time(now(),"-1d@d") 
| eval startYesterdayHR = strftime(startYesterday, "%c") 
| eval marker = case(_time >= startToday, "Today", _time >=startYesterday,"Yesterday", 1=1,"Outside Range") 
| where marker != "Outside Range" 
| eval _time = case(marker="Today",_time, marker="Yesterday",_time+86400) 
| eval db=upper(host) 
| timechart fixedrange=f avg(Total) by marker

alt text

It's kind of like I need to do

 ... | timechart fixedrange=f (avg(Total) by marker) by db

Even so it's not clear to me that trellis would want to show two lines on each timechart when one of those isn't an overlay.

0 Karma

niketn
Legend

@mfrost8, if you know the values of your db, you can use count(eval(db="yourValue1")) as "yourvalue1" , count(eval(db="yourValue1")) as "yourvalue1" ... etc. Then finally use <option name="trellis.splitBy">_aggregation</option> to apply split by aggregation which can be Day and _time on x-axis.

Refer to the following Example based on Splunk's _internal index where log_level="ERROR" and log_level="WARN" have been used instead of db. Timespan is 7 days before till yesterday i.e. earliest=-7d@d-1s latest=-1d@d-1s

alt text

Following is the Simple XML code for the dashboard.

<dashboard>
  <label>Trellis By Time and Aggregate</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO component!="Metrics" component!="PeriodicHealthReporter" earliest=-7d@d-1s latest=-1d@d-1s 
| eval Day=strftime(_time,"%Y/%m/%d")
| timechart span=1h count(eval(log_level=="ERROR")) as Error count(eval(log_level=="WARN")) as Warn by Day</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">zero</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
        <option name="height">500</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

corey_reynders
Path Finder

*** Edited for a better way than what I originally posted (oops, still learning trellis myself) ***

Make today and yesterday their own fields for aggregation :
| eval today = if(_time >= relative_time(now(),"@d"), value,"") | eval yesterday=if(_time <=relative_time(now(),"@d"),value,"")

Add the following after your marker eval to adjust today's time backwards a day :
| eval _time=if( _time>=relative_time(now(),"@d"),relative_time(_time,"-1d"),_time)

Change your timechart to :
| timechart avg(today) as today avg(yesterday) as yesterday by db

Ensure your trellis split by is set to db

Hope it helps.

alt text

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...