topic Chart using variable units in Splunk Search

Chart using variable units

alexiri — Fri, 29 Jul 2011 16:29:14 GMT

I'm trying to create a dashboard that will allow a user to select a machine or set of machines and see a timechart of how much data they have on our system and how this has evolved. The problem is that depending on what the user selects, we may be talking about anything from a few megabytes to a few petabytes.

I'd like to be able to intelligently pick the best unit for the chart (ie. 1PB, 1TB, etc.) so as to avoid having labels like "1.074E9 MB" or "9.31E-10 PB". What would be the best way of doing this?

Re: Chart using variable units

sideview — Fri, 29 Jul 2011 19:56:43 GMT

See the docs for the case() function within the eval command:

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

Here's a simple search to show the idea. This displays throughput in KB when the numbers are small and in MB when they're large:

index=_internal source=*metrics.log group=per_sourcetype_thruput | stats sum(kb) as kb by series | eval totalKB=case(kb<5000, tostring(kb)+" KB",kb>=5000,tostring(kb/1024)+ " MB")

the case function can take any number of argument pairs so this should give you what you need.

Re: Chart using variable units

alexiri — Mon, 01 Aug 2011 14:36:47 GMT

Hi @nick,

Thanks for your reply. This would work fine for displaying the data in a table, but what I want is to display it in a chart.

What I want is to be able to change the units of the Y axis depending on what makes sense. If I have to graph data that goes from 2097152 MB to 38797312 MB, I'd like the scale to go from 0 TB to, say, 40 TB.

Can this be done? I'm using advanced views, in case that makes a difference.

Re: Chart using variable units

rtelford — Wed, 19 Dec 2012 12:18:38 GMT

I would love to be able display numbers with the SI unit.

Re: Chart using variable units

sideview — Wed, 19 Dec 2012 17:39:55 GMT

Yes it can be done. You can use the eventstats command after your stats command, to paint a little "maxKb" field onto every row. Then you can do your conditional eval, except that the eval will check the maxKb value and make the choice based on that. Then once the eval has made the scaling change (or not), then use the fields command to remove the maxKb field. However without doing a little more work the user won't know which scale they're looking at - TB or GB. (A bit more eval, and then a Sideview ResultsValueSetter and a Sideview HTML module could solve that though.)