Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how do I edit my search to create mutliple graphs using timechart?

hishamjan
Explorer
‎02-16-2021 11:25 PM

index=_* OR index=* sourcetype=Kamailio BC="Current Billable Calls Count:" | rex field=_raw "Count:(?<Billablecalls>.*)" | timechart max(Billablecalls)

index=_* OR index=* sourcetype=Kamailio NBC="Current NON-Billable Calls Count:" | rex field=_raw "Calls Count:(?<NonBillableCalls>.*)" | timechart max(NonBillableCalls)

index=_* OR index=* sourcetype=Kamailio CAIB="Current Active Inbound Calls:" | rex field=_raw "Calls: (?<Inboundcalls>.*)" | timechart max(Inboundcalls)

 

The above three are separate searches but I would like to combine them and plot over a single Calls against Time chart. Is there any viable solution for this?

Any degree of help will be appreciated.

 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 01:46 AM

Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created

View solution in original post

Reply
Solved! Jump to solution

hishamjan
Explorer
‎02-17-2021 02:12 AM

I did, 

| eval totalCount = 'in_calls' + 'nb_calls' + 'b_calls'  | table _time totalCalls 

and displayed the total result.

 

Thanks a bunch, cheers!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 02:26 AM

You don't need the table _time totalCalls at the end, the extra field is in the table, just adjust the chart format

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 12:12 AM

It is not possible to tell from the information you have given. For example, it you combined billable call and non-billable calls, your rex expression as it stands could give you the wrong values. You should probably modify these so that each one would only work on the relevant events and not match for the irrelevant events. You would have to either share examples of all the event you are dealing with or work that out yourself.

0 Karma
Reply
Solved! Jump to solution

hishamjan
Explorer
‎02-17-2021 01:42 AM

Thanks for the reply, I figured that out myself by using appendcols command but now my concern is, is there a way to calculate the total number at a given instant using multi-line graphs and also plot that on the same multi-line graph?  

I've attached a screenshot of what I've achieved so far, hope it can give you an idea 

Screenshot 2021-02-17 at 2.36.54 PM.png

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 01:46 AM

Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...