Multiple values into seperate timewrap charts

mtmoore · ‎07-16-2014

I'd like to pass multiple performance counters into the timewrap app so that it produces multiple graphs for analysis. Currently I can only pass one counter to timewrap with a 3 week comparism of that 1 counter for 1 host on a Saturday which is great:

index="perfmon" host="hostname" counter="% Processor Time" earliest=-3w@w latest=@w |timechart avg(Value) span=1h | timewrap w | where strftime(_time,"%A") == "Saturday"

What i'd like to do is pass it say 20 different counters producing 20 different graphs of 3 week comparisms of Saturdays.. how would I do this?

Thanks!

wpreston · ‎07-16-2014

One way would be to use the Sideview Utils multiplexer module, it will do exactly what you are looking for. If you don't already have it, download sideview utils and look at the documentation for multiplexer.

EDIT:

I'm probably using a different verison of Sideview than you are but in my version he has an example that does just what you're looking for, except it's done on the sourcetype field. On my version, it's on the "Using Multiplexer with Pager" page of the Module documentation. In it, there is a search that sets up some preliminary statistics, a post process that gets the unique values of sourcetype that he wants to report on, a multiplexer module that tells multiplexer to multiplex the sourctype field, another post process that creates the timecharts he wants, then an html module and a JSChart module to set the visualizations. you can use this as a model to set up what you're looking for. Here is the relevant example XML:

<!-- EXAMPLE BEGIN -->
<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | bin _time span="1min" | stats sum(kb) as totalKB by series, _time | rename series as sourcetype</param>
    <param name="earliest">-60m</param>
    <param name="latest">now</param>

    <module name="JobProgressIndicator" />

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>
      <param name="charting.legend.placement">none</param>
      <param name="charting.axisTitleX.visibility">collapsed</param>

      <module name="PostProcess">
        <param name="search">dedup sourcetype | sort sourcetype</param>

        <module name="Pager">
          <param name="count">5</param>

          <module name="Multiplexer">
            <param name="field">sourcetype</param>

            <module name="PostProcess">
              <param name="search">search sourcetype="$sourcetype$" | timechart span="1min" max(totalKB) as totalKB</param>

              <module name="HTML">
                <param name="html"><![CDATA[
                  <h2>$sourcetype$</h2>
                ]]></param>
              </module>

              <module name="JSChart">
                <param name="height">150px</param>
                <param name="width">100%</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
  <!-- EXAMPLE END -->

wpreston · ‎07-16-2014

Please see the updated answer.

mtmoore · ‎07-16-2014

Do you mean this part? "Multiplexer:: Multiplexer allows you to custom-render search result rows, and use Splunk and Sideview modules to do that custom rendering. This sounds kind of like nothing at all, but it’s very very amazing. Picture being able to write a dashboard where for EACH row in your search results you can have a graph. Or a graph and a table and some HTML."

mtmoore · ‎07-16-2014

Thanks for the quick response, how will specifically help?

Multiple values into seperate timewrap charts

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk