Solved: get the values in each line

secure · ‎12-19-2024

Hi i have a below query where I'm calculating the total prod server count in first dataset and in second dataset I'm plottting a timechart for the server count. what i want to display is a line chart with total prod server showing as threshold and line and the below line chart as server count

index=data sourcetype="server"
| rex field=_raw "server=\"(?<EVENT_CODE>[^\"]*)"
| search [ | inputlookup prodata_eventcode.csv | fields EVENT_Code ]
| stats dc(host_name) as server_prod_count
|rename
| append
[
| search index=appdata source=appdata_value
| rex field=value "\|(?<Item>[^\|]+)?\|(?<EVENT_CODE>[^\|]+)|(?<PROD_Count>[^\|]+)?"
| dedup DATE,EVENT_CODE
| timechart span=1d sum(PROD_Count) as SERVER_COUNT]
| table _time,local_PROD_COUNT,snow_prod_count
| rename DYNA_PROD_COUNT as SERVER_COUNT,snow_prod_count as Threshold

Question is how can i get the threshold value in all the rows so that i can plot threshold vs server count in the line graph

Below is the snapshot

ITWhisperer · ‎12-19-2024

From where you are, you could simply do something like this

| filldown Threshold

View solution in original post

ITWhisperer · ‎12-19-2024

From where you are, you could simply do something like this

| filldown Threshold

get the values in each line

timechart

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation