Splunk Search

combine two result on a timechart for compare them

indeed_2000
Motivator

Hi

I have two result like this

 

REQ

Name                        count 

Node1.Node2     100

Node3.Node4     500

 

RSP

Name                        count 

Node2.Node1     60

Node4.Node3     400

 

 

How can I compare them on timechart ?

e.g.

 put them on timechart so I can see Node2 recieve 100 REQ but response to 60 of them.

need to put them all on timechart.

 

Any idea?

Thanks,

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need some time element to be able to use a timechart.

It depends on what you are trying to achieve and how you want to display the result.

For example, you could convert all the RSP to negative counts so they show below the x-axis while the REC appear above the line.

You could reverse the nodes in the name so that REC-RSP counts shows the number of non-responses.

0 Karma

indeed_2000
Motivator

1-i have time field, and able to show the count of them by time.

2-just need to compare them on timechart. E.g main chart show REC overly chart show RSP on top of it.

would please tell me spl command of these examples that you mention?

Thank

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What searches are you currently using?

What do your events look like?

0 Karma

indeed_2000
Motivator

@ITWhisperer need to make something like this:

 

indeed_2000_0-1643789355960.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This isn't a timechart, it is a sankey diagram, what does this have to do with your original question?

0 Karma

indeed_2000
Motivator

Do you have idea about timechart?

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you want the total REC and total RSP per hour? Or something else?

0 Karma

indeed_2000
Motivator

you right I just think about another way to compair them with sankeydiagram.

create another post for it.
rex to combine result - Splunk Community

0 Karma

indeed_2000
Motivator

Here are the events:

REQ

2022-01-29 13:59:46,928 INFO CUS.AbCD-Servive1-00000 [AppListener] Receive Packet[000*]: From[Node1.Node2]

RSP
2022-01-29 13:59:47,013 INFO CUS.AbCD-Servive1-00000_CUS.AbCD-Service2-111111 [AppNodeManager] Send Packet [000*] to [Node2.Node1]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...