Splunk Search

How can I recreate this chart in Splunk?

Esky73
Builder

alt text
http://imgur.com/MbH4w37

Trying to recreate this chart in Splunk - can anyone assist, as I'm a bit uncertain where to start?

Hits = SampleCount
Network Time = Network Time
Server Time = Server Time

Thanks.

Field   Value   Actions

Selected

Location
Sydney

Time
6:35:54 AM

host
SPLUNK

index
main

source
Filtered_data_Peak3.csv
sourcetype
csv
Event

ErrorCount
0

Network Time
175
Response Time
533
SampleCount
1

Server Time
358
URL
https://xxxxxx
331
bytes
473
grpThreads
331
label
/data_table.do

linecount
1

responseCode
200
splunk_server
SPLUNK

success
1

timeStamp
1.46355E+12
Time

time
2016-05-19T06:35:54.000+10:00

Default
punct
.+,::
,,,,,/.,,,,,,://.-./.?=&=&=&=&=,,

0 Karma
1 Solution

sundareshr
Legend

Since your sourcetype is csv I assume the fields have been extracted. Try this for your chart. You can set it up for display as an area chart with Hits as overlay.That should give you something similar to what you have.

your base search here | timechart span=3m sum(SampleCount) as Hits sum("Network Time") as "Network Time" sum("Server Time") as "Server Time" 

View solution in original post

0 Karma

sundareshr
Legend

Since your sourcetype is csv I assume the fields have been extracted. Try this for your chart. You can set it up for display as an area chart with Hits as overlay.That should give you something similar to what you have.

your base search here | timechart span=3m sum(SampleCount) as Hits sum("Network Time") as "Network Time" sum("Server Time") as "Server Time" 
0 Karma

Esky73
Builder

Hi,

Thanks for looking at this .. is there a way of using the "Time" field instead of _time ?

Also how to add an average line onto the chart for average response time ?

0 Karma

sundareshr
Legend

Here...

your base search here | timechart span=3m sum(SampleCount) as Hits sum("Network Time") as "Network Time" sum("Server Time") as "Server Time" avg("Response Time") as "Response Time" | rename _time AS Time | fieldformat Time=strftime(Time, "%x %X")
0 Karma

Esky73
Builder

Thanks, As the "Hits" (SampleTime) is using the left axis .. the line is right at the bottom of the chart as it is using those values to plot - which is why i was looking for a separate axis on the right side to represent the hits to make it more presentable.

Also for the bottom of the graph - all we are doing is re-naming _time to Time - what i want to do is use the values for the Time Field for the bottom of the graph.

thanks.

0 Karma

sundareshr
Legend

For hits, you can specify a second axis for the overlay field (Hits). See here for how-to

http://docs.splunk.com/Documentation/Splunk/6.1.8/Viz/Chartcontrols#Chart_overlay

For Time, try this

your base search here | eval Time=strptime(Time, "%H:%M:%S %p") | bin span=3m Time | chart sum(SampleCount) as Hits sum("Network Time") as "Network Time" sum("Server Time") as "Server Time" avg("Response Time") as "Response Time" by Time | fieldformat Time=strftime(Time, "%H:%M:%S %p")

Esky73
Builder

Thanks - i didn't need to use another Time - we got the _time working properly from the source - and the Overlay did the trick for the Hits Chart - thanks a lot for help, made my 1st Splunk venture a successful one 🙂

ppablo
Retired

Glad you found your solution through @sundareshr's help. Don't forget to resolve the question by clicking "Accept" directly below his answer. Be sure to upvote his answer and/or comment that helped you too

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...