How can I create a bar chart with positive and negative values? Here is the use case I have.
I have events coming in per hour from two different machines, A and B. If machine A has 10 more events generate than machine B, the bar chart should shoot UP 10 units. If machine B has 15 more events than machine A, then the bar chart should shoot DOWN 15 units. If machine A and machine B have the same number of events generated then there would be no units displayed.
I am pretty new to Splunk so I am not sure where to start to create something like this
Given your clarification in my previous answer, try this:
(index="machine_a" OR index="machine_b") category=web
| timechart span=YourSpanHere avg(event_count) BY index
| eval delta = machine_a - machine_b
| timechart span=YourSpanHere first(delta) AS delta
You can replace avg
with max
or latest
or some other aggregation more appropriate.
Like this:
(index="machine_a" OR index="machine_b") category=web
| timechart span=YourSpanHere count BY index
| eval delta = machine_a - machine_b
| timechart span=YourSpanHere first(delta) AS delta
BTW, putting each host in a separate index is probably not the right way to partition your data (although in some cases it can make sense).
Thanks for the update. I should have added more notes to my query. Log from machine A index="machine_a" category=web event_count=100
and log from machine B index="machine_a" category=web event_count=80
. The desired output would be 20 as machine A has 20 more events than machine B. If machine B event_count
is 100 and machine A event_count
is 80, -20 would be the desired output. While reading your query, I think it takes the difference in the number of LOGS and not event_count
. I am also confused as to how to reference machineA
and machineB
values as you did above
I had a typo (now corrected) where machineA
should have been machine_a
, etc. See my new answer for better solution.
Try something on this line.. (assuming you want some sort of timechart of difference of counts in both machines. Also assuming there is a field machine in your logs with value machineA and machineB)
your base search which collects required logs from machineA and machineB
| timechart span=1d count by machine
| rename COMMENT as "Above line would generate a column for values of field machine, so if the field machine has value machineA and machineB, you'd see two fields called machineA and machineB."
| eval Difference='machineA'-'machineB'
| table _time Difference
Being new to Splunk, how can I PIPE the logs from machine A and machine B to the same chart? My query looks something like this for machine A index="machine_a" category=web
and this for machine B index="machine_b" category=web
.
See my answer.