Splunk Search

Tweaking a timechart

namritha
Path Finder

Hi,

I have a 20 servers that belong to cluster A (servers 1-10) and cluster B (servers 11-20).

My requirement is as follows,

TYPE OF CHART: TIMECHART
The blocks in the chart need to be by cluster.
The lines need to be by server.
as given below,

alt text
I have figured out the rest of overlaying and having two Y axes.

Can anyone please help me with the query to create the blocks by cluster and the lines by server?

Thanks.

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 

View solution in original post

0 Karma

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 
0 Karma

namritha
Path Finder

Thankyou, that worked.

I have just one small thing left. When I try to overlay the response time on top of count, the options for overlay are displayed as host1, host2 .... host 10.

I do not want to select each of the servers individually as they are many in no. and are likely to increase in the future.

Can I select to the response time as a single field instead of selecting the servers individually? (Even though the response time is plotted per server)

i.e. avg(response_time) as rt over blocks by server needs to be referred as a single field instead of individual server names in Chart Overlay.

0 Karma

sundareshr
Legend

I don't believe you an do that. You may want to consider putting the cluster as the overlay line graph and the avg response time as bar chart. For overlay, you have to select each category individually.

namritha
Path Finder

Thankyou. I guess I'll have to stick to the hard way of selecting each of the servers individually.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...