I'm having trouble using timechart for multiple hosts. Here's what I want to do:
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host | max(PercentProcessorTime) by host | timechart max(Context) by host
That doesn't work. "Fields missing" on the second two timechart commands. Changing the order shows it isn't an issue with the data. So I've tried this, and I get the error "Error in 'timechart' command: When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed."
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes), max(Context), max(PercentProcessorTime) by host
I've also tried the following, which returns the error "Error in 'timechart' command: The argument 'max(Context)' is invalid."
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host, max(Context) by host, max(PercentProcessorTime) by host
Why is that? I truly want to split all three items by host. I can have three different graphs, but that isn't really what I want.
Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.
You could try doing this (basically flattening the 3rd axis together with the host field):
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host
Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.
You could try doing this (basically flattening the 3rd axis together with the host field):
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host
By the way, in 4.2, which will be released in the near future, you will be able to do multi-series split-by within chart or timechart
This http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries shows a slightly different way of doing it.
the one minor bit:
| eval host = pivot . "-" host
should be:
| eval host = pivot . "-" . host
But that works!