Splunk Search

combine two result on a timechart for compare them

indeed_2000
Motivator

Hi

I have two result like this

 

REQ

Name                        count 

Node1.Node2     100

Node3.Node4     500

 

RSP

Name                        count 

Node2.Node1     60

Node4.Node3     400

 

 

How can I compare them on timechart ?

e.g.

 put them on timechart so I can see Node2 recieve 100 REQ but response to 60 of them.

need to put them all on timechart.

 

Any idea?

Thanks,

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need some time element to be able to use a timechart.

It depends on what you are trying to achieve and how you want to display the result.

For example, you could convert all the RSP to negative counts so they show below the x-axis while the REC appear above the line.

You could reverse the nodes in the name so that REC-RSP counts shows the number of non-responses.

0 Karma

indeed_2000
Motivator

1-i have time field, and able to show the count of them by time.

2-just need to compare them on timechart. E.g main chart show REC overly chart show RSP on top of it.

would please tell me spl command of these examples that you mention?

Thank

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What searches are you currently using?

What do your events look like?

0 Karma

indeed_2000
Motivator

@ITWhisperer need to make something like this:

 

indeed_2000_0-1643789355960.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This isn't a timechart, it is a sankey diagram, what does this have to do with your original question?

0 Karma

indeed_2000
Motivator

Do you have idea about timechart?

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you want the total REC and total RSP per hour? Or something else?

0 Karma

indeed_2000
Motivator

you right I just think about another way to compair them with sankeydiagram.

create another post for it.
rex to combine result - Splunk Community

0 Karma

indeed_2000
Motivator

Here are the events:

REQ

2022-01-29 13:59:46,928 INFO CUS.AbCD-Servive1-00000 [AppListener] Receive Packet[000*]: From[Node1.Node2]

RSP
2022-01-29 13:59:47,013 INFO CUS.AbCD-Servive1-00000_CUS.AbCD-Service2-111111 [AppNodeManager] Send Packet [000*] to [Node2.Node1]

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...