Is there a way to display a timechart for all resu...

azqaz · ‎02-01-2016

I'm trying to find a way to return a list of hosts and then create a timechart of a metric for each of the hosts. Below is the attempt I made using the map command, but only the final result seems to display.

index=nix | dedup host | table host | map [search index=nix sourcetype=cpu  host=$host$ cpu=All| eval pctCPU=(100 - pctIdle) | eventstats avg(pctCPU) as apctCPU, stdev(pctCPU) as sdev | eval threeSigma=(apctCPU + (sdev * 3)) | where pctCPU < threeSigma | timechart span=5m values(pctCPU)]

somesoni2 · ‎02-01-2016

How about this

index=nix sourcetype=cpu   cpu=All| eval pctCPU=(100 - pctIdle) | eventstats avg(pctCPU) as apctCPU, stdev(pctCPU) as sdev by host | eval threeSigma=(apctCPU + (sdev * 3)) | where pctCPU < threeSigma | timechart span=5m values(pctCPU) by host

azqaz · ‎02-02-2016

No, that just gives one chart with all of the hosts on it. What I'm needing to satisfy the managers request is a page with one chart for each of the hosts from the fist search results. So if 5 hosts are returned, I need to create 5 graphs.

somesoni2 · ‎02-02-2016

You can run this query and in the dashboard->Edit Panel, select the Multi-series as Yes. This will give you one graph for each series (host). See this for more details
https://answers.splunk.com/answers/96358/multi-series-graph-split-by-group-clause.html

azqaz · ‎02-02-2016

That is better. Not exactly what I was hoping for, but probably good enough for the time being. Thanks.

Is there a way to display a timechart for all results of a search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life