Solved: help on append command in a line chart

jip31 · ‎02-06-2024

hello

I need to display 2 curves in my line chart from two different index

so i am doing this :

index="disk" sourcetype="Perfmon:disk" 
| bin span=10m _time 
| eval time=strftime(_time, "%H:%M:%S") 
| stats avg(Value) as Disque by time 
| eval Disque=round(Disque, 2) 
| append
    [ search index="mem" sourcetype="Perfmon:mem" 
    | bin span=10m _time 
    | eval time=strftime(_time, "%H:%M:%S") 
    | stats avg(Value) as Mémoire by time 
    | eval Mémoire=round(Mémoire, 2)]

the problem I have is that on the x axis my curves are not aligned on the same time slot

what is wrong please?

thanks

ITWhisperer · ‎02-06-2024

You need to get your stats into the same events. Try something like this

index="disk" sourcetype="Perfmon:disk" 
| bin span=10m _time 
| eval time=strftime(_time, "%H:%M:%S") 
| rename Value as Disque 
| append
    [ search index="mem" sourcetype="Perfmon:mem" 
    | bin span=10m _time 
    | eval time=strftime(_time, "%H:%M:%S") 
    | rename Value as Mémoire]
| stats avg(Disque) as Disque avg(Mémoire) as Mémoire by time 
| eval Disque=round(Disque, 2) 
| eval Mémoire=round(Mémoire, 2)

View solution in original post

ITWhisperer · ‎02-06-2024

You need to get your stats into the same events. Try something like this

index="disk" sourcetype="Perfmon:disk" 
| bin span=10m _time 
| eval time=strftime(_time, "%H:%M:%S") 
| rename Value as Disque 
| append
    [ search index="mem" sourcetype="Perfmon:mem" 
    | bin span=10m _time 
    | eval time=strftime(_time, "%H:%M:%S") 
    | rename Value as Mémoire]
| stats avg(Disque) as Disque avg(Mémoire) as Mémoire by time 
| eval Disque=round(Disque, 2) 
| eval Mémoire=round(Mémoire, 2)

jip31 · ‎02-06-2024

thanks

help on append command in a line chart

other

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk