How to create a 3 dimensional chart from 2 differe...

sangs8788 · ‎11-28-2017

I am trying to build panel which will show when GC occurred and what was the CPU time when GC occurred & before GC occurred. The problem is the search queries need to be build from two different sources. Below are the queries

Time at which GC occurred
index=gc host =testserver sourcetype="gc" "GC (Allocation Failure)" |table _time

Thread CPU time across the server
index=appln host=testserver | timechart span=5m sum(THREAD_CPU_MS) as CUM_THREAD_CPU_MS

How do i combine both into one chart ?

woodcock · ‎11-28-2017

Here is a run-anywhere example:

(index=_* AND sourcetype="splunkd") OR (index=_* AND sourcetype=splunk_resource_usage)
| timechart avg(eval(10000 * cpu_seconds)) AS CPU count(eval(sourcetype="splunkd")) AS splunkd_event_count

Yours might be something like this:

host=testserver AND ((index=gc AND sourcetype="gc" AND "GC (Allocation Failure)") OR (index=appln))
| timechart span=5m sum(THREAD_CPU_MS) AS CUM_THREAD_CPU_MS count(eval(index=gc)) AS Garbage_Collection_Allocation_Failures

nileena · ‎11-28-2017

Please try this search:

host=testserver ((index=gc sourcetype="gc" "GC (Allocation Failure)") OR index=appln)
| timechart span=5m sum(eval(case(index=="appln", THREAD_CPU_MS))) AS CUM_THREAD_CPU_MS count(eval(sourcetype=="gc")) AS gc_occurance

It will show both parameters in one timechart.
You can change one of the parameters to overlay so as to use a separate scale for each parameter.
Good luck!

How to create a 3 dimensional chart from 2 different sources ?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...