Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to show separate line for different site in one chart?

florapann
Engager
‎11-04-2021 12:10 PM

from checkbox value, if i choose multiple sites, i would like to show all sites separate line chart for average trackout time. now the problem if i choose multiple sites, it only show one line chart by coming all sites average trackout value.

query: MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time)

For example: from check box list i choose "F10N" and "F10W". but in chart, only show one line by combing those two site's average trackout time values and show one chart. i would like to show two separate line , one line for F10N's average trackout time and another line for F10W's average trackout time. 

please help to suggest for this issue

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2021 12:26 PM 
MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time) by MicronSite

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-04-2021 01:10 PM

Just add "by MicronSite" in your timechart command (at the end).

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2021 12:26 PM 
MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time) by MicronSite
0 Karma
Reply
Solved! Jump to solution

florapann
Engager
‎11-04-2021 01:05 PM

i got below error when i run your query

florapann_0-1636056319625.png

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-04-2021 01:32 PM

Hey, that was your own regex. 🙂

I assume that there should be a capturing group name there. So instead of

(?\d+)

You should have something like

(?<your_field>\d+)

0 Karma
Reply
Solved! Jump to solution

florapann
Engager
‎11-04-2021 01:59 PM

got it thanks alot 😄 
if i want to combine another one more chart into that dashboard with different query, is it possible? it produce same average total trackout time but different source

other chart query : 

index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut) | timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name | addtotals fieldname=AvgTotalTrackoutTime

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...