Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

time chart

vinod0313
Explorer
‎05-18-2021 03:49 AM

I have two queries and i want to display both the query result in line chart (one line in the line chart from the result of query 1 and  another line in the line chart from the result of query 2)

below is the query which i append the two queries ,but i am not getting proper line chart


index="cx_aws" host="aw-lx0244.deltadev.ent" source ="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode|bucket _time span=1h | stats count by _time
|append
[search index="cx_aws" host="aw-lx0244.deltadev.ent" source="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode | eval TimeTaken3 = trim(replace(TimeTaken, ",","")) | eval REQUESTED_URL2 = trim(replace(REQUESTED_URL, "/contracts/",""))| eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) | sort -num(TimeTaken3) | WHERE TimeTaken3>10000|bucket _time span=1h | stats count by _time] 

please suggest in order to achieve the two line sin the line chart(one for each query)

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-18-2021 04:11 AM

HI @vinod0313,

please see my approach and adapt it to your real situation (I cannot test it!):

index="cx_aws" host="aw-lx0244.deltadev.ent" source ="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode
| bucket _time span=1h 
| stats count AS "First" by _time
|append [ search 
     index="cx_aws" host="aw-lx0244.deltadev.ent" source="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode 
     | eval TimeTaken3=trim(replace(TimeTaken, ",","")) 
     | eval REQUESTED_URL2=trim(replace(REQUESTED_URL, "/contracts/",""))
     | eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) 
     | sort -num(TimeTaken3) 
     | WHERE TimeTaken3>10000
     | bucket _time span=1h 
     | stats count AS "Second" by _time
     ] 
| stats values(First) AS First values(Second) AS Second BY _time

Beware to the number of result of the second search: if they could be more than 50,000 you could have errors.

Otherwise, you could try a different approach:

index="cx_aws" (host="aw-lx0244.deltadev.ent" OR host="aw-lx0244.deltadev.ent") source ="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode
| stats count AS "First" by _time
| eval TimeTaken3=trim(replace(TimeTaken, ",","")) 
| eval REQUESTED_URL2=trim(replace(REQUESTED_URL, "/contracts/",""))
| eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) 
| search TimeTaken3>10000 OR host="aw-lx0244.deltadev.ent"
| timechart span=1h count BY host

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

vinod0313
Explorer
‎05-18-2021 04:20 AM

hi @gcusello 

Thanks for your response, i have tried with your suggestion and below is the response chart

vinod0313_0-1621336751982.png

 


is there any chance that we can get second also line chart(now we are not getting as line)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-18-2021 05:01 AM

Hi @vinod0313,

please, try the second one because I think that's better, anyway, for the first solution, did you tried different options in the chart? bacause it seems that you haven't some values.

Ciao.

Giuseppe

 

 

0 Karma
Reply
Solved! Jump to solution

vinod0313
Explorer
‎05-18-2021 05:14 AM

HI @gcusello

The second one didn't worked actually and i tried the options in the chart with first solution and it worked.
Thanks a lot.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-18-2021 04:11 AM

HI @vinod0313,

please see my approach and adapt it to your real situation (I cannot test it!):

index="cx_aws" host="aw-lx0244.deltadev.ent" source ="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode
| bucket _time span=1h 
| stats count AS "First" by _time
|append [ search 
     index="cx_aws" host="aw-lx0244.deltadev.ent" source="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode 
     | eval TimeTaken3=trim(replace(TimeTaken, ",","")) 
     | eval REQUESTED_URL2=trim(replace(REQUESTED_URL, "/contracts/",""))
     | eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) 
     | sort -num(TimeTaken3) 
     | WHERE TimeTaken3>10000
     | bucket _time span=1h 
     | stats count AS "Second" by _time
     ] 
| stats values(First) AS First values(Second) AS Second BY _time

Beware to the number of result of the second search: if they could be more than 50,000 you could have errors.

Otherwise, you could try a different approach:

index="cx_aws" (host="aw-lx0244.deltadev.ent" OR host="aw-lx0244.deltadev.ent") source ="pf-enrollee-family-roster-service" ("/persons/" OR "/contracts/") HttpStatusCode
| stats count AS "First" by _time
| eval TimeTaken3=trim(replace(TimeTaken, ",","")) 
| eval REQUESTED_URL2=trim(replace(REQUESTED_URL, "/contracts/",""))
| eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) 
| search TimeTaken3>10000 OR host="aw-lx0244.deltadev.ent"
| timechart span=1h count BY host

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...