Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tweaking a timechart

namritha
Path Finder
‎09-24-2016 11:52 PM

Hi,

I have a 20 servers that belong to cluster A (servers 1-10) and cluster B (servers 11-20).

My requirement is as follows,

TYPE OF CHART: TIMECHART
The blocks in the chart need to be by cluster.
The lines need to be by server. as given below,

alt text
I have figured out the rest of overlaying and having two Y axes.

Can anyone please help me with the query to create the blocks by cluster and the lines by server?

Thanks.

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-25-2016 07:54 AM

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-25-2016 07:54 AM

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time
0 Karma
Reply
Solved! Jump to solution

namritha
Path Finder
‎09-25-2016 10:30 AM

Thankyou, that worked.

I have just one small thing left. When I try to overlay the response time on top of count, the options for overlay are displayed as host1, host2 .... host 10.

I do not want to select each of the servers individually as they are many in no. and are likely to increase in the future.

Can I select to the response time as a single field instead of selecting the servers individually? (Even though the response time is plotted per server)

i.e. avg(response_time) as rt over blocks by server needs to be referred as a single field instead of individual server names in Chart Overlay.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-25-2016 11:51 AM

I don't believe you an do that. You may want to consider putting the cluster as the overlay line graph and the avg response time as bar chart. For overlay, you have to select each category individually.

Reply
Solved! Jump to solution

namritha
Path Finder
‎09-25-2016 01:10 PM

Thankyou. I guess I'll have to stick to the hard way of selecting each of the servers individually.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...