topic Re: Trend values on x-axis and y-axis by serv in Splunk Search

Trend values on x-axis and y-axis by serv

nagaraju_chitta — Fri, 29 Sep 2017 17:46:58 GMT

index=... sourcetype=...
| rex "(?) and (?\w+) and (?)"
| table totaltime,duration
| timechart or chart would like to populate totaltime in x-axis and duration in y-axis for each serv

would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis for each "serv". Assume the below sample from "serv1". for serv2,serve3,etc has to show on the graph

sample data:
28820.220: [Full GC (System.gc()) 8832K->8624K(37888K), 0.0261704 secs]
29372.500: [GC (Allocation Failure) 23984K->8816K(37888K), 0.0013546 secs]
29932.500: [GC (Allocation Failure) 24176K->8808K(37888K), 0.0017082 secs]
30492.500: [GC (Allocation Failure) 24168K->8960K(37888K), 0.0017122 secs]
31047.500: [GC (Allocation Failure) 24320K->8944K(37888K), 0.0020634 secs]
31602.500: [GC (Allocation Failure) 24304K->8992K(37888K), 0.0017542 secs]
32157.500: [GC (Allocation Failure) 24352K->8968K(37888K), 0.0018971 secs]
32420.247: [GC (System.gc()) 16160K->8944K(37888K), 0.0012816 secs]
8186.000: [GC (Allocation Failure) 91332K->36212K(246272K), 0.0081127 secs]
8347.676: [GC (System.gc()) 42225K->35996K(246272K), 0.0040077 secs]
8347.678: [Full GC (System.gc()) 35996K->21313K(246272K), 0.1147433 secs]
8929.342: [GC (Allocation Failure) 76609K->24356K(246784K), 0.0047687 secs]
8952.577: [GC (Allocation Failure) 80164K->29098K(246272K), 0.0053928 secs]
9921.694: [GC (Allocation Failure) 84906K->27626K(247808K), 0.0053474 secs]
11567.840: [GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

Re: Trend values on x-axis and y-axis by serv

Sukisen1981 — Fri, 29 Sep 2017 18:39:02 GMT

index=... sourcetype=... 
| rex "(?) and (?\w+) and (?)" 
| timechart duration by server | trendline sma2(duration ) AS Duration


https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Trendline

Re: Trend values on x-axis and y-axis by serv

DalJeanis — Fri, 29 Sep 2017 18:39:07 GMT

@nagaraju_chittathuru -

1)Please be sure to mark your code (with the 1010 010 button, for example) so that the system does not delete HTML-like features.

2) Your rex appears to be pulling three values, but you have only mentioned two other than server, and there is no server name in the data sample.

3) Please identify how the values for server, totaltime and duration are supposed to be determined based on the data.

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Sat, 30 Sep 2017 13:42:26 GMT

@DalJeanis,

By using

index=... sourcetype=... 
| rex "(?<totaltime>) and (?<duration>\w+) and (?<serv>)" 
| table totaltime,duration,source
| timechart or chart would like to populate totaltime in x-axis and duration in y-axis for each serv

from the sample data highlighted for Full GC
28820.220 is totaltime
0.0261704 is duration
and the serv will extract from my source which is a default extract.
any sort of suggestion would be helpful to create a graph

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Sat, 30 Sep 2017 19:11:20 GMT

@Sukisen: thanks for reply.please read the post about my requirement and let me know any suggestions.would like to populate the totaltime values on x-axis and duration on y-axis by serv name where serv name comes from the file name which includes in the source.

Re: Trend values on x-axis and y-axis by serv

Sukisen1981 — Sun, 01 Oct 2017 10:23:26 GMT

hi can you post what the output of your table command looks like in the statistics tab?

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Mon, 02 Oct 2017 07:44:36 GMT

@Sukisen1981...below is the data the chart or timechart supposed to populate from the sampledata provided in the post
totaltime:
28820.220
8347.678
11947.797

duration:
0.0261704
0.1147433
0.1237187

serv name from the filename which is source
serv1

Re: Trend values on x-axis and y-axis by serv

niketn — Mon, 02 Oct 2017 08:48:01 GMT

@nagaraju_chittathuru, you need to provide more specifics for us to assist you:

1) You are missing regular expression from the rex command to fetch totaltime and duration. Based on your current data and one of your previous command it should be

| rex "^(?<totaltime>[^:]+):\s+\[Full GC\s\(([^\)]+)\)\)\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]"

2) You have mentioned serv field but from your example it is not clear as to what is the regular expression for servfield and what is its regular expression. Please clarify.

3) You have extracted serv but using source in your table. Do you really need serv field? Do you need to get latest values of totaltome and duration by every source? If this is what you want then following should be your query:

<YourBaseSearch>
| table totaltime,duration,source
| stats last(totaltime) as totaltime last(duration) as duration by source

PS: Timechart uses epoch time as x-axis time field. Since you do not have epoch time in your query you can not run the time chart command.

Read about transforming commands like stats (http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Stats) and timechart (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart) etc. to understand how and when to use these. Also read about Statistical and Charting functions available for these (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions#Types_of_statistical_and_charting_functions )

Re: Trend values on x-axis and y-axis by serv

Sukisen1981 — Mon, 02 Oct 2017 10:52:28 GMT

| stats values(duration) as dur by server,totaltime
| eval  {dur}/{server}=dur 
| fields - server, - dur

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Mon, 02 Oct 2017 21:37:49 GMT

@niketnilay
Below are the clarifications
1. by using the REGEX that you have specified .am trying to extract totaltime and duration
2. serv is the part of source and I am extracting it from source by using split
3. need to get latest values of totaltime and duration by every source and show this as a trend.
advise if any? below is the regex and chart using and expected results are not getting. Needs to populate the values of totaltime and duration for each serv(source)

rex max_match=0 field=_raw "(?m)^(?<timestamp>[^:]+):\s+\[(?<FullGCEvents>Full.*)\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<gctime>[^\s]+)\ssecs\]" |  chart max(gctime) as Duration by timestamp

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Mon, 02 Oct 2017 21:40:22 GMT

@Sukisen1981
thanks again and no results and chart are displaying when i followed. any otherway to populate only values not the statistics as mentioned in the below rex

rex max_match=0 field=_raw "(?m)^(?<timestamp>[^:]+):\s+\[(?<FullGCEvents>Full.*)\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<gctime>[^\s]+)\ssecs\]" |  chart max(gctime) as Duration by timestamp

Re: Trend values on x-axis and y-axis by serv

Sukisen1981 — Wed, 04 Oct 2017 17:13:14 GMT

Hi,
I don't know what you are trying.....please refer to my screen shot and tell me if its somewhat near to your needs

Re: Trend values on x-axis and y-axis by serv

nagaraju_chitta — Fri, 06 Oct 2017 17:26:25 GMT

@Sukisen1981: my requirement is simple. just need a trend line out of the below data. also posting my statisticstab and visualizationtab images

totaltime:
28820.220
8347.678
11947.797

duration:
0.0261704
0.1147433
0.1237187

how will you populate the totaltime on x-axis and duration on y-axis?

     | stats values(totaltime) as totdur values(Duration) as duration