Splunk Search

how do I edit my search to create mutliple graphs using timechart?

hishamjan
Explorer

index=_* OR index=* sourcetype=Kamailio BC="Current Billable Calls Count:" | rex field=_raw "Count:(?<Billablecalls>.*)" | timechart max(Billablecalls)

index=_* OR index=* sourcetype=Kamailio NBC="Current NON-Billable Calls Count:" | rex field=_raw "Calls Count:(?<NonBillableCalls>.*)" | timechart max(NonBillableCalls)

index=_* OR index=* sourcetype=Kamailio CAIB="Current Active Inbound Calls:" | rex field=_raw "Calls: (?<Inboundcalls>.*)" | timechart max(Inboundcalls)

 

The above three are separate searches but I would like to combine them and plot over a single Calls against Time chart. Is there any viable solution for this?

Any degree of help will be appreciated.

 

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created

View solution in original post

hishamjan
Explorer

I did, 

| eval totalCount = 'in_calls' + 'nb_calls' + 'b_calls'  | table _time totalCalls 

and displayed the total result.

 

Thanks a bunch, cheers!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need the table _time totalCalls at the end, the extra field is in the table, just adjust the chart format

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not possible to tell from the information you have given. For example, it you combined billable call and non-billable calls, your rex expression as it stands could give you the wrong values. You should probably modify these so that each one would only work on the relevant events and not match for the irrelevant events. You would have to either share examples of all the event you are dealing with or work that out yourself.

0 Karma

hishamjan
Explorer

Thanks for the reply, I figured that out myself by using appendcols command but now my concern is, is there a way to calculate the total number at a given instant using multi-line graphs and also plot that on the same multi-line graph?  

I've attached a screenshot of what I've achieved so far, hope it can give you an idea 

Screenshot 2021-02-17 at 2.36.54 PM.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...