Splunk Search

Tweaking a timechart

namritha
Path Finder

Hi,

I have a 20 servers that belong to cluster A (servers 1-10) and cluster B (servers 11-20).

My requirement is as follows,

TYPE OF CHART: TIMECHART
The blocks in the chart need to be by cluster.
The lines need to be by server.
as given below,

alt text
I have figured out the rest of overlaying and having two Y axes.

Can anyone please help me with the query to create the blocks by cluster and the lines by server?

Thanks.

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 

View solution in original post

0 Karma

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 
0 Karma

namritha
Path Finder

Thankyou, that worked.

I have just one small thing left. When I try to overlay the response time on top of count, the options for overlay are displayed as host1, host2 .... host 10.

I do not want to select each of the servers individually as they are many in no. and are likely to increase in the future.

Can I select to the response time as a single field instead of selecting the servers individually? (Even though the response time is plotted per server)

i.e. avg(response_time) as rt over blocks by server needs to be referred as a single field instead of individual server names in Chart Overlay.

0 Karma

sundareshr
Legend

I don't believe you an do that. You may want to consider putting the cluster as the overlay line graph and the avg response time as bar chart. For overlay, you have to select each category individually.

namritha
Path Finder

Thankyou. I guess I'll have to stick to the hard way of selecting each of the servers individually.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...