How to get multiple overlays on panel, by time

rnotch · ‎11-03-2017

Hi, so currently I have the following panel and code:

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$  | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count  by AccountID, status_description

But what I WANT is for it to look kinda like this...

...With FOUR overlay lines (one for each response code total count). One axis would be account IDs (probably stacked), the other axis would be time slots. I have pickers for Timeframe (token=field1) and AccountID (token=AccountIDtoken) and timespan (token=span) in place.

That way I could see variation in response codes over time, per account. Any thoughts?

Sukisen1981 · ‎11-04-2017

index=origin sourcetype=access_combined (AccountID!="test" AND AccountID!="server") $AccountIDtoken$ | eval AccountID=if(isnum(AccountID), tag, AccountID) | chart count by AccountID, status_description | addtotals | fields status_description, Totals

Now , go to the chart format and select all status_description as overlay

rnotch · ‎11-06-2017

I'm afraid that search comes up as blank, even when running it in a search bar with the token removed. If I run it with just the "addtotals," it looks identical to before. The last pipe is stripping all the data for some reason.

Sukisen1981 · ‎11-04-2017

have you explored streamstats ???

How to get multiple overlays on panel, by time

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms