I am trying to display data in the form of line chart in dashboard. Each line in the chart should represent a separate series. For ex: one series would show number of events "string1" appears in index i1 and other series be number of events "string2" appears in the same index i1.
For one data series I can write in the search bar something like:
index = i1 string1 | timechart count by event
How can I incorporate string 2 in this such that for each string the count of events in which the strings appear can be represented by two different lines in a chart in dashboard?
The docs had been updated and I don't have the exact page but here are some references:
Multiline data series not working with Splunk . I tried a simple timchart count by host and dashboard is not supporting this query. When I schedule pdf delivery it just shows as blank.
I am trying to create field (key/value) pairs for string1 and string2 interactively following http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
For string1 I am able to create a field but for string2 splunk is not allowing me to create field, it does not creates regex for the second string, is there another way to create fields? Also, I was wondering since I know there will be only one value associated with each of the fields I create, is creating fields the only way to do it? ex: field s1="String1" and s2="String2" always.
Thanks for the link. I checked it but I am not getting clearly how its done.
I want to search for multiple strings in an index, calculate count of events separately in which the strigs appear and then plot them in a chart.
The example in the link does not show how can I search for a string and plot it in chart. Ex: index = i1 string1 "String 1 " | stats count
This will give the number events in index i1 where "String 1" is present. How can implement this using the example given in the link?