Solved: Re: overlay chart

maniishpawar · ‎05-24-2017

how to create a single chart with two values.
one showing sum of requests in span=5m window
and other showing request processed by each server in that 5m window.

cmerriman · ‎05-24-2017

try this:

index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | chart limit=0 max(_tcount1) count by _time host

View solution in original post

cmerriman · ‎05-24-2017

try this:

index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | chart limit=0 max(_tcount1) count by _time host

maniishpawar · ‎05-25-2017

this didnt gave the correct results.
Here is the requirement
for a given instant of time , say 9;00 to 9:05 get a total count of request received across all host ( 30000)
then for the same 9:00 to 9:05 window, i want to show how much requests each host served , say 6 hosts each serving 5000

so the graph should show me line graph for each host req count and
bar group for total count of 9:00-9:05 window

cmerriman · ‎05-25-2017

what is my syntax showing you after you format it as a chart overlay and change one to bar and one to line? can you show me? I think i understand what you're wanting, but i'm just not sure what's wrong. The eventstats should give a total count for all events every 5 minutes and then the chart command would show the value (max) of that on the 5 minute interval and also count the events by host and 5 minute interval.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/Chartcontrols#Chart_overlay_example_.28dual_a...

maniishpawar · ‎05-25-2017

the issue is the max is also grouped by host when displayed in charthttps://goo.gl/p8a5Wd

maniishpawar · ‎05-25-2017

https://goo.gl/JGoMiD

cmerriman · ‎05-25-2017

try adding:

...|foreach max* [eval tcount1='<<FIELD>>']|fields - max*

maniishpawar · ‎05-25-2017

great this works just perfect.
Can you please help me understand foreach max* [eval tcount1='<>']|fields - max*.

specifically [eval tcount1='<>']|fields - max*
so far I can infer that for all the fields that start with max* its evaluating tcount1.
but how is it getting only one value of tcount1.

cmerriman · ‎05-25-2017

foreach takes all fields specified (in this case all fields beginning with max) and can do evaluations on them. so we're evaluating a new field called tcount1 and grabbing the values of the fields we call in the foreach statement. Since they're the same value for every time increment, i wasn't concerned about adding them together, so all we need is to call it once. if we needed to add them together, we might use MATCHSTR

http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Foreach#Syntax

maniishpawar · ‎05-25-2017

Thank you for the explanation.

cmerriman · ‎05-24-2017

do you have some of the syntax that you're working with?

...|timechart limit=0 span=5m sum(requests) sum(requestProcessed) by server

you can go into the format section and click on 'chart overlay' and select the field you'd like to overlay, if you want, otherwise they'll both be on the same axis. either way, this might work, depending on the fieldnames.

maniishpawar · ‎05-24-2017

index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | timechart avg(_tcount1) count by host

overlay chart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!