topic Re: Graphing negative values OR converting the values to positive in Splunk Dev

Graphing negative values OR converting the values to positive

dbcase — Fri, 25 May 2018 17:38:05 GMT

Hi,

I'm trying to do a time chart of RSSI values (typically negative values). I have a query that extracts the values and puts them into a table (just for troubleshooting). I'm also trying to convert the values to positive using the abs function but it keeps coming up blank. I've checked using isstr to see if the values were a string and needed to be converted but the function returned no (it is not a string). Can't figure out what the heck is wrong here. Thoughts?

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|eval n=abs(rssiid)|table n rssiid

Resulting table. As you can see the rssiid comes across just fine but n (where I'm doing the eval/abs) is null

Re: Graphing negative values OR converting the values to positive

dbcase — Fri, 25 May 2018 17:39:01 GMT

whups forgot the other part. If there is a way to graph negative numbers I'd do that as well

Re: Graphing negative values OR converting the values to positive

somesoni2 — Fri, 25 May 2018 18:11:31 GMT

Most eval functions doesn't work on multivalued fields, which your rssid field is. Also, you can't chart the multivalued field. So in order to apply the functions or charting, you'd expand your multivalued field as single value using mvexpand command. There is no special processing to chart the negative numbers.

Now if you've more than one, related multivalued fields, you'll concatenate them into single multivalued field using mvzip, expand it using mvexpand and then split it again, similar to what's being done in this post
http://www.bbosearch.com/commands/mvexpand
https://answers.splunk.com/answers/301140/how-can-i-use-the-eval-function-mvzip-with-8-attri.html

Re: Graphing negative values OR converting the values to positive

niketn — Fri, 25 May 2018 19:22:55 GMT

@dbcase, while negative values can definitely be plotted on charts like column, bar, line or area, it is unclear what is the aggregation field against which you want to plot the negative rssids. You seem to have two rows in your screenshot. What is the key field for each row?

Try adding the following query to your existing search:

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773
|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"
|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"
|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid

Following is a run anywhere example for you to try out:

|  makeresults
|  eval sno=1, rssiid="-12,-32,-21,-45,-9"
|  append 
    [|  makeresults
    | eval sno=2, rssiid="-43,-53,-2,-22" ]
|  makemv rssiid delim=","
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid

Re: Graphing negative values OR converting the values to positive

dbcase — Tue, 29 May 2018 15:30:06 GMT

ah ok that helped, still getting some odd behavior. I'll open up a new question