- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Have two searches by count on one chart and their ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have two searches by count on one chart and their sum
Hey everyone!
I just started using Splunk and am having trouble finding a way to have a line graph with 3 separate lines graphing 2 different searches with a line for each search and then a line for the sum of the counts of those searches on the same chart.
My searches are...
"Out of memory" "Migration to host" | timechart count by source
"vmotion task succeeded" | timechart count
Thanks for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thought of another way to do it..
("Out of memory" AND "Migration to host") OR "vmotion task succeeded" |
eval series="" |
eval series=case(match(_raw, ".*Out of memory.*"),series="Out of memory",
match(_raw, ".*vmotion task succeeded.*"),series="vmotion task succeeded") |
timechart count by series | eventstats sum(count) as Total
I'm not sure this will work...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, this search will plot more than one line:
"Out of memory" "Migration to host" | timechart count by source
It should plot one line for each source. If there are more than 10 sources, splunk will summarize.
In order to get the lines that you want, try this first
"Out of memory" "Migration to host" | eval series="Out of Mem... Migration" |
append [ search "vmotion task succeeded" | eval series="vmotion task succeeded" | field series ] |
timechart count by series
The above will get you two lines. You could choose a stacked line chart to see the sum of the two. That's easiest. If you want to create the summation yourself, you could do it this way, but you have to choose the charting time interval. I will assume an hour is what you want:
"Out of memory" "Migration to host" |
bucket _time span=1h |
stats count as migration_count by _time |
fields _time migration_count |
join type=outer _time [ search "vmotion task succeeded" |
bucket _time span=1h |
stats count as vmotion_count by _time |
field _time vmotion_count ] |
fillnull value=0 migration_count vmotion_count |
eval total_count = vmotion_count + migration_count |
eval series="Migration Vmotion Total" | makemv series | mvexpand series |
eval count=case(series=="Migration",migration_count,series=="Vmotion",vmotion_count,series=="Total", total_count) |
xyseries _time,series,count
This goes through a number of gyrations to get the graph, and I hope it will work. I tried to check my typing, but I can't really test this solution...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
