Solved: Re: get the values in each line

secure · ‎12-19-2024

Hi i have a below query where I'm calculating the total prod server count in first dataset and in second dataset I'm plottting a timechart for the server count. what i want to display is a line chart with total prod server showing as threshold and line and the below line chart as server count

index=data sourcetype="server"
| rex field=_raw "server=\"(?<EVENT_CODE>[^\"]*)"
| search [ | inputlookup prodata_eventcode.csv | fields EVENT_Code ]
| stats dc(host_name) as server_prod_count
|rename
| append
[
| search index=appdata source=appdata_value
| rex field=value "\|(?<Item>[^\|]+)?\|(?<EVENT_CODE>[^\|]+)|(?<PROD_Count>[^\|]+)?"
| dedup DATE,EVENT_CODE
| timechart span=1d sum(PROD_Count) as SERVER_COUNT]
| table _time,local_PROD_COUNT,snow_prod_count
| rename DYNA_PROD_COUNT as SERVER_COUNT,snow_prod_count as Threshold

Question is how can i get the threshold value in all the rows so that i can plot threshold vs server count in the line graph

Below is the snapshot

ITWhisperer · ‎12-19-2024

From where you are, you could simply do something like this

| filldown Threshold

View solution in original post

ITWhisperer · ‎12-19-2024

From where you are, you could simply do something like this

| filldown Threshold

get the values in each line

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation