topic Re: How can I chart queries over time? in Splunk Search

How can I chart queries over time?

zacksoft — Thu, 07 Jun 2018 14:03:14 GMT

I have a query that end with

| table jra_conn bam_conn bib_conn

jra_conn, bam_conn, bib_conn are not Splunk fields. They are custom fields created using eval statements.

Example : jra_conns have values like

34
12
22
45
etc...

I want to be able to chart these values over time (individually for all three *_conns .)
But | timechart span=1m values(jra_conn)

won't work for me. I am thinking if I convert jra_conn to a multivalue field then may be timechart or something similar will work.
Any suggestions?

Re: How can I chart queries over time?

poete — Tue, 29 Sep 2020 19:56:15 GMT

Hello,

how can you expect a timechart if the last line of the search is a table not containing _time?

To me, it should end with
| table _time jra_conn bam_conn bib_conn

Re: How can I chart queries over time?

zacksoft — Tue, 29 Sep 2020 19:51:36 GMT

I tried that.
| table _time jra_conn
still there won't come any visualization.
added | timechart span=1m values(jra_conn)
still no solution.

Re: How can I chart queries over time?

DalJeanis — Thu, 07 Jun 2018 14:38:16 GMT

It depends on what you are trying to chart. If you want to see individual dots for each of the connection speeds at any given time, then use a scatterplot instead of a timechart. If you want to see the average, then use timechart.

Re: How can I chart queries over time?

zacksoft — Tue, 29 Sep 2020 19:51:38 GMT

Tried the following . Still I won't get a visualization
| table _time jra_conn
| stats values(jra_conn) by _time

Re: How can I chart queries over time?

zacksoft — Thu, 07 Jun 2018 14:44:30 GMT

Thanks @DalJeanis ♦ for the suggestion.
I think (not sure) the timechart or scatterplot works when when we deal with splunk fields. Mine are custom fields generated as a result of eval statements .

I tried all the plots, But the visualization won't generate.
I think the fields(jra_conn etc.) needs to be converted to multivalued and then splitted or something similar before we make it work.

Re: How can I chart queries over time?

DalJeanis — Thu, 07 Jun 2018 14:46:16 GMT

I suspect you want...

| table _time jra_conn bam_conn bib_conn
| timechart  span=1m avg(jra_conn) as jra_conn avg(bam_conn) as bam_conn avg(bib_conn) as bib_conn

Re: How can I chart queries over time?

DalJeanis — Thu, 07 Jun 2018 14:46:42 GMT

or you can use max() or min()

Re: How can I chart queries over time?

zacksoft — Thu, 07 Jun 2018 14:50:26 GMT

tried it already. won't work. 😞

Re: How can I chart queries over time?

zacksoft — Tue, 29 Sep 2020 19:51:44 GMT

Also when tried this
| xyseries _time jra_conn

Error generates and says "Error in 'xyseries' command: At least one data field must be specified"

Re: How can I chart queries over time?

somesoni2 — Thu, 07 Jun 2018 15:14:32 GMT

Please share your current full search.

Re: How can I chart queries over time?

zacksoft — Tue, 29 Sep 2020 19:51:49 GMT

Re: How can I chart queries over time?

somesoni2 — Thu, 07 Jun 2018 16:37:15 GMT

Give this a try (simplified the custom field extraction)

host="yelowpark.gamers.com" source="/apps/absan/jra/logs/access_log.data"
| eval headers=split(_raw,";") 
| table _time headers
| eval b=mvindex(headers,2)
| rex field=b "Current Conns: (?<Total_conn>.*)" 
| eval c=mvindex(headers,3)
| rex field=c "Current Conns: (?<jra_conn>.*)" 
| eval d=mvindex(headers,4)
| rex field=d "Current Conns: (?<bam_conn>.*)" 
| eval e=mvindex(headers,5)
| rex field=e "Current Conns: (?<bib_conn>.*)"  
| timechart avg(*_conn) as Avg_*_conn

Re: How can I chart queries over time?

zacksoft — Thu, 07 Jun 2018 18:20:33 GMT

Absolutely brilliant @somesoni2 ♦
Thank you very very much.
You simplified the extraction and timechart works too.