Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Reporting: Build a chart of multiple data series

Splunk's reporting commands do not support a direct way to define multiple data series in your charts (or timecharts). However, you CAN achieve this using a combination of the stats and xyseries commands.

The chart and timechart commands both return tabulated data for graphing, where the x-axis is either some arbitrary field or _time, respectively. When these commands are used with a split-by field, the output is a table where each column represents a distinct value of the split-by field.

In contrast, the stats command produces a table where each row represents a single unique combination of the values of the group-by fields. You can then use the xyseries command to redefine your data series for graphing.

For most cases, you can simulate the results of "... | chart n by x,y" with "... | stats n by x,y | xyseries x y n". (For the timechart equivalent of results, x = _time.)

Scenario

Let's say you want to report on data from a cluster of application servers. The events gathered from each server contain information such as counts of active sessions, requests handled since last update, etc. and are placed in the applications_servers index. You want to display each server instance and the number of sessions per instance on the same timechart so that you can compare the distributions of sessions and load.

Ideally, you want to be able to run a timechart report, such as:

index=application_servers | timechart sum(handledRequests) avg(sessions) by source

However, timechart does not support multiple data series; so instead, you need run a search similar to the following:

index=application_servers | stats sum(handledRequests) as hRs, avg(sessions) as ssns by _time,source | eval s1="handledReqs sessions" | makemv s1 | mvexpand s1 | eval yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns) | eval series=source+":"+s1 | xyseries _time,series,yval

Walkthrough

... | stats sum(handledRequests) as hRs, avg(sessions) as ssns by _time,source

This uses the stats command to calculate statistics for each source value: The sum of handledRequests values are renamed as hRs, and the average number of sessions are renamed as ssns.

... | eval s1="handledReqs sessions" | makemv s1 | mvexpand s1

This uses the eval command to add a single-valued field "s1" to each result from the stats command. Then, the makemv command converts sl into a multivalued field, where the first value is "handleReqs" and the second value is "sessions". The mvexpand then creates separate series for each value of s1.

... | eval yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns)

This uses the eval command to define a new field, yval, and assign values to it based on the case that it matches. So, if the value of s1 is "handledReqs", yval is assigned the "hRs" value. And, if the value of s1 is "sessions", yval is assigned the "ssns" value.

... | eval series=source+":"+s1

This uses the eval command to define a new field, series, which concatenates the value of the host and s1 fields.

... | xyseries _time,series,yval

Finally, the xyseries command is used to define a chart with _time on the x-axis, yval on the y-axis, and data defined by series.

PREVIOUS
What's in this chapter
  NEXT
Reporting: Compare hourly sums between multiple days

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

You think it is smart to tell the customer what would be an easy and ideal solution and then explain it is NOT possible ? ^-^.<br />Fix the timechart to support multiple data series ;)

Flo cognosec
January 10, 2012

Thanks for this tute. But I am stuck at the second last step, please see my query below to see what I am doing. When I run the query the table looks to be formatted correctly, but there are no results returned under 'Deny' or 'Allow'. If I then add the last part of the query (... | xyseries _time,series,yval) I get 'No Results Found'.<br /><br />What am I doing wrong?<br /><br />sourcetype=Firewall | stats sum(disp=deny) as Deny, sum(disp=allow) as Allow by _time,source | eval s1="Denied Allowed" | makemv s1 | mvexpand s1 | eval yval=case(s1=="Denied",Deny,s1=="Allowed",Allow) | eval series=source+":"+s1

Wishlist
June 14, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters