Splunk Search

how to show separate line for different site in one chart?

florapann
Engager

from checkbox value, if i choose multiple sites, i would like to show all sites separate line chart for average trackout time. now the problem if i choose multiple sites, it only show one line chart by coming all sites average trackout value.

query: MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time)

For example: from check box list i choose "F10N" and "F10W". but in chart, only show one line by combing those two site's average trackout time values and show one chart. i would like to show two separate line , one line for F10N's average trackout time and another line for F10W's average trackout time. 

please help to suggest for this issue

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time) by MicronSite 

View solution in original post

0 Karma

somesoni2
Revered Legend

Just add "by MicronSite" in your timechart command (at the end).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time) by MicronSite 
0 Karma

florapann
Engager

i got below error when i run your query

florapann_0-1636056319625.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Hey, that was your own regex. 🙂

I assume that there should be a capturing group name there. So instead of

(?\d+)

You should have something like

(?<your_field>\d+)

0 Karma

florapann
Engager

got it thanks alot 😄 
if i want to combine another one more chart into that dashboard with different query, is it possible? it produce same average total trackout time but different source

other chart query : 

index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut) | timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name | addtotals fieldname=AvgTotalTrackoutTime

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...