Splunk Search

Tweaking a timechart

namritha
Path Finder

Hi,

I have a 20 servers that belong to cluster A (servers 1-10) and cluster B (servers 11-20).

My requirement is as follows,

TYPE OF CHART: TIMECHART
The blocks in the chart need to be by cluster.
The lines need to be by server.
as given below,

alt text
I have figured out the rest of overlaying and having two Y axes.

Can anyone please help me with the query to create the blocks by cluster and the lines by server?

Thanks.

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 

View solution in original post

0 Karma

sundareshr
Legend

Try this

base search | bin span=1d _time | eval blocks=_time.'#".cluster | chart avg(response_time) as rt over blocks by server | rex field=blocks "(?<_time>[^\#]+)\#(?<cluster>.*)" | fields - blocks | eventstats count(eval(cluster="A")) as cluster_A count(eval(cluster="B")) as cluster_B by _time 
0 Karma

namritha
Path Finder

Thankyou, that worked.

I have just one small thing left. When I try to overlay the response time on top of count, the options for overlay are displayed as host1, host2 .... host 10.

I do not want to select each of the servers individually as they are many in no. and are likely to increase in the future.

Can I select to the response time as a single field instead of selecting the servers individually? (Even though the response time is plotted per server)

i.e. avg(response_time) as rt over blocks by server needs to be referred as a single field instead of individual server names in Chart Overlay.

0 Karma

sundareshr
Legend

I don't believe you an do that. You may want to consider putting the cluster as the overlay line graph and the avg response time as bar chart. For overlay, you have to select each category individually.

namritha
Path Finder

Thankyou. I guess I'll have to stick to the hard way of selecting each of the servers individually.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...