Plot multiple charts in one report

Shahnoor · ‎02-02-2024

Hello, I'm trying to sum by groups (I have 2 groups) and then plot them individually and also the sum. I'm using following script to plot group 1.

| fields inbound_rate outbound_rate HOST
| where HOST like "%location_a%"
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS

This works and sums all the server TPS from location a. Now I have servers in another location (location_b). How can I plot TPS for location a, location b and sum of both?

Thanks.

yuanliu · ‎02-02-2024

Something like

<your search> host IN (*location_a*, *location_b*)
| fields inbound_rate outbound_rate host
| eval location = if(match(host, "location_a", "location_a", "location_b")) ``` rex is usually more code-economic, split is more efficient, etc ```
| addtotals fieldname=a_TPS
| timechart span=5m sum(a_TPS) as a_TPS by location
| addtotals

Note: I assume that HOST (all caps) is the same field as Splunk's essential field host (all lower-case), therefore accessible in your index search. Filtering in index search is more performant. If the HOST field is not accessible in index search, you can still use a where clause; it's just less efficient. Also, there can be many ways to calculate location but I am showing the least efficient method because I have no details about how location is embedded into host values and what regularities they have. (In my organization, for example, location is indicated in a fixed level of domain names, therefore I do not need match or rex.)

Hope this helps.

Plot multiple charts in one report

fields

timechart

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?