Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart help: split all by host

tedder
Communicator
‎01-10-2011 07:54 PM

I'm having trouble using timechart for multiple hosts. Here's what I want to do:

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host | max(PercentProcessorTime) by host | timechart max(Context) by host

That doesn't work. "Fields missing" on the second two timechart commands. Changing the order shows it isn't an issue with the data. So I've tried this, and I get the error "Error in 'timechart' command: When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes), max(Context), max(PercentProcessorTime) by host

I've also tried the following, which returns the error "Error in 'timechart' command: The argument 'max(Context)' is invalid."

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host, max(Context) by host, max(PercentProcessorTime) by host

Why is that? I truly want to split all three items by host. I can have three different graphs, but that isn't really what I want.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host

View solution in original post

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎01-11-2011 07:06 PM

Unfortunately, with timechart, if you specify a field to split by, you can not specify more than one item to graph. This is because, when you split by a field, the distinct values of that field become the column/field names. In essense you want to produce a graph with 3 axis (time, host, and AvailableMBytes/Context/PercentProcessorTime), but we can only produce 2D tables and charts.

You could try doing this (basically flattening the 3rd axis together with the host field):

index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory)
| kv
| fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes
| eval pivot = "PercentProcessorTime;Contexts;AvailableMBytes"
| makemv pivot delim=";"
| mvexpand pivot
| eval x=if(pivot="PercentProcessorTime",PercentProcessorTime,if(pivot="Contexts",Contexts,AvailableMBytes))
| eval host = pivot . "-" . host
| timechart max(x) by host
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎01-20-2011 05:57 AM

By the way, in 4.2, which will be released in the near future, you will be able to do multi-series split-by within chart or timechart

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-13-2011 07:15 AM

This http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries shows a slightly different way of doing it.

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎01-12-2011 10:05 PM

the one minor bit:

| eval host = pivot . "-" host

should be:

| eval host = pivot . "-" . host

But that works!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...