Hi all.
I want to create multi-line graph, and I can create it. But My XQL query is too long and too many manual operation is there.
Do you have good idea for create multi-series line graph? (more shorter one)
Example (Just example. There are no Confidential Information)
When I have some datesets, and I want to create graph for Log Ingestion count for each dataset.
To count log numbers, I use _product field for distinguish each dataset.
Field value example is here "
httpd
parse
parsetime
httpdv2
apache
httpd_droptest
regexcapture
To create multi-series time-series graph, I wrote query below.
dataset = vendor_*
| alter regexcapture = if (_product="regexcapture", 1,0)
| alter httpd_droptest = if (_product="httpd_droptest", 1,0)
| alter httpd = if(_product="httpd",1,0)
| alter parse = if(_product="parse",1,0)
| alter parsetime = if(_product="parsetime",1,0)
| alter httpdv2 = if(_product="httpdv2",1,0)
| alter apache = if(_product="apache",1,0)
| bin _time span = 1h
| comp sum(regexcapture) as regexcapture , sum(httpd_droptest) as httpd_droptest , sum(httpd) as httpd, sum(parse) as parse, sum(parsetime) as parsetime, sum(httpdv2) as httpdv2, sum(apache) as apache, count() as all by _time | view graph type = line xaxis = _time yaxis = httpd_droptest , regexcapture, httpd, parse, parsetime, httpdv2, apache
Then, I get graph below
I can create multi-series timechart graph, but this query has some problem.
Problem 1. Too Long.
This is very simple graph, but I need very long command. If we can this query become shorter, please advice for me.
Problem 2. Very inconvenient.
To count each dataset, I have to create new field name using alter command and I have to check _product field.
And I have to use sum function for each dataset, and I have to set Y-Axis field name using view command.
If I got new dataset name, I have to change each point.
Very very inconvenient...
Does there any useful command like a timechart or foreach or eval function(XQL have alter command but there are no alter function) on SPL?
