Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a chart from output of index and dataset?

AmitSampat
Loves-to-Learn Lots
‎06-30-2022 07:01 AM

All,

I have an index with some fields like appId and responsetime. I also have a dataset where the appId is same, but in this file I have a propername linked with the appId

So as example
INDEX OUTPUT
appId, responsetime
202, 1200

OUTPUT file
appId, serviceName
202, serviceA

I am looking for a syntax where I can have the output:
serviceA, responseTime
202, 1200

And on top of this, I want to create a chart out of this.

I was playing around with a join query and was able to create a table

index=xx | dedup appId | eval duration = RT - FT | join type=inner appId
[|inputlookup tmpfile.csv | rename serviceA as URL]
| table appId serviceA responsetime
|where appId = appId

BUT, I can not create charts with avg(responseTime).

 

Can someone help?

 

Thanks.

Amit

Labels (2)
Labels
0 Karma
Reply

nadlurinadluri
Communicator
‎06-30-2022 10:00 AM

You dont need to use join here when the data is in lookup file and for charts you can use stats command , you can try something like below - 

$FirstQuery which gives appId and reponseTime as output$
| lookup tmpfile.csv appId AS appId output serviceA
| stats avg(responseTime) AS responseTime by appId,serviceA
0 Karma
Reply

AmitSampat
Loves-to-Learn Lots
‎07-04-2022 05:55 AM

Thank for the response.

 

I tried, but this is not working. Also I need to remove the dedup, otherwise it will take only one event.
The thing is de index output results in many appId's with some responsetime. I need to make this into a chart, linked with the servicename (which is not there in the index output).

 

Any tips how to proceed?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...