how to create a single chart with two values.
one showing sum of requests in span=5m window
and other showing request processed by each server in that 5m window.
try this:
index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | chart limit=0 max(_tcount1) count by _time host
try this:
index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | chart limit=0 max(_tcount1) count by _time host
this didnt gave the correct results.
Here is the requirement
for a given instant of time , say 9;00 to 9:05 get a total count of request received across all host ( 30000)
then for the same 9:00 to 9:05 window, i want to show how much requests each host served , say 6 hosts each serving 5000
so the graph should show me line graph for each host req count and
bar group for total count of 9:00-9:05 window
what is my syntax showing you after you format it as a chart overlay and change one to bar and one to line? can you show me? I think i understand what you're wanting, but i'm just not sure what's wrong. The eventstats should give a total count for all events every 5 minutes and then the chart command would show the value (max) of that on the 5 minute interval and also count the events by host and 5 minute interval.
the issue is the max is also grouped by host when displayed in charthttps://goo.gl/p8a5Wd
try adding:
...|foreach max* [eval tcount1='<<FIELD>>']|fields - max*
great this works just perfect.
Can you please help me understand foreach max* [eval tcount1='<>']|fields - max*.
specifically [eval tcount1='<>']|fields - max*
so far I can infer that for all the fields that start with max* its evaluating tcount1.
but how is it getting only one value of tcount1.
foreach takes all fields specified (in this case all fields beginning with max) and can do evaluations on them. so we're evaluating a new field called tcount1 and grabbing the values of the fields we call in the foreach statement. Since they're the same value for every time increment, i wasn't concerned about adding them together, so all we need is to call it once. if we needed to add them together, we might use MATCHSTR
http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Foreach#Syntax
Thank you for the explanation.
do you have some of the syntax that you're working with?
...|timechart limit=0 span=5m sum(requests) sum(requestProcessed) by server
you can go into the format section and click on 'chart overlay' and select the field you'd like to overlay, if you want, otherwise they'll both be on the same axis. either way, this might work, depending on the fieldnames.
index=myapp* sourcetype=iis* | bucket _time span=5m| eventstats count as _tcount1 by _time | timechart avg(_tcount1) count by host