topic Re: How to produce multiple values graphs in Splunk Search

How to produce multiple values graphs

jhuysing — Mon, 22 Jul 2019 21:42:33 GMT

We have a log of some metrics that look like this:

20:45:00 10.10.71.01 values : [12035313, 233658, 0, 0, 24249, 13058, 0, 229867, 0, 0, 0, 0, 24249, 0, 0, 0, 37307, 0, 257907, 42125, 320380, 0]

I can pull out each of the values and produce a table.

| rex field=_raw "\[(?.*)]" 
| eval counters = split( results,",") 
| eval Requests=mvindex(counters,1)   etc

However, I want to produce a multiline graph, is this possible?

Re: How to produce multiple values graphs

jaime_ramirez — Mon, 22 Jul 2019 23:49:00 GMT

You could try something like this:

| makeresults count=20 
| eval values="values : [".random().", ".random().", ".tostring(random()%2).", ".tostring(random()%1).", ".random()."]" 
| eval ip="127.0.0.1" 
| eval _time = _time - random()%600 
| eval _raw=strftime(_time, "%H:%M:%S")." ".ip." ".values 
| rename COMMENT as "--- Sample Generated Values above ---"
| rex field=_raw "\[(?<results>.*)\]" 
| eval counters = split( results,", ")
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterType CounterValue _raw
| timechart max(CounterValue) as CounterValue by CounterType
| fillnull value=0

Hope it helps!!!

Re: How to produce multiple values graphs

jhuysing — Tue, 23 Jul 2019 03:57:43 GMT

| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-") 
| mvexpand index_counters 
| eval index_counters=split(index_counters, "-") 
| eval CounterType=mvindex(index_counters, 0) 
| eval CounterValue=mvindex(index_counters, 1) 
| fields _time CounterTypes CounterValue _raw  | sort _time
| table CounterValue , CounterTypes, _time

When I run this query, I get a result of 21 counterTypes, starting a 0

When I replace the last line with
| timechart max(CounterValue) as CounterValue by CounterType

in the preview there is only 11 columns including others, the other counter types are missing
0 1 10 11 12 13 14 15 16 17 OTHER

and when look at the visualizations the legend only includes the value above and there is a diagonal line going up from left to right

Re: How to produce multiple values graphs

jaime_ramirez — Tue, 23 Jul 2019 17:25:21 GMT

Try using this:

...
| timechart max(CounterValue) as CounterValue by CounterType limit=0 useother=0

And in visualizations choose Line Chart

Re: How to produce multiple values graphs

jhuysing — Tue, 23 Jul 2019 22:54:13 GMT

okay that fixed it so I get all the counter types.

The lines were not being drawn. I found i had another problem with

| eval counters = split( results,",")

changed it to so there is a space after the comma and all the line get drawn

| eval counters = split( results,", ")

Now I need to figure out how to change the CounterType from a number to the correct name

Re: How to produce multiple values graphs

jaime_ramirez — Tue, 23 Jul 2019 23:03:43 GMT

You could use rename at the end of the search string:

....
| rename 0 as Zero_Counter, 1 as First_Counter ....

Re: How to produce multiple values graphs

jhuysing — Mon, 05 Aug 2019 03:50:04 GMT

After a week of putting out other fires

Okay that works as long as you don't use the Trellis layout