topic Re: Cannot find remote data using timechart in Splunk Search

Cannot find remote data using timechart

huangyingleo — Tue, 29 Sep 2020 12:17:58 GMT

Here is my test environment, I got two VMs, PC1 and PC2, and PC1 works as a server end and PC2 as a client end. I try to collect vmstat data from PC2. I install Splunk_TA_NIX on both sides.
I can find events like this:

But when I use timechart, all data just vanish. Take a look.

I got confused. Can you give me some ideas to solve this? Thanks....

Re: Cannot find remote data using timechart

martin_mueller — Thu, 05 Jan 2017 07:34:04 GMT

First, flip to the other pages in the table returned by the timechart.

If that doesn't yield data, make sure the field is actually extracted correctly.

Re: Cannot find remote data using timechart

huangyingleo — Thu, 05 Jan 2017 08:06:02 GMT

I checked other pages in the table returned by timechart and found nothing.
As to "make sure the field is acutally extracted correctly", how? I think I can find data by using "index=os sourcetype=vmstat" and can see events followed by searching, which means field is extracted correctly. Am I right?

Re: Cannot find remote data using timechart

chimell — Thu, 05 Jan 2017 08:12:48 GMT

Hi
Verify if loadAvgIni field is well extracted .
And try using this search code :

index=os host=PC2 sourcetype=vmstat |timechart avg(loadAvgIni)

Re: Cannot find remote data using timechart

huangyingleo — Thu, 05 Jan 2017 08:20:31 GMT

Hi, Chimell,
I try you method and it doesnt work....
Also I try "index=os sourcetype=vmstat host=PC2 | timechart avg(threads)" and other fields like memTotalMB. Still nothing in the new form returned by timechart.....

Re: Cannot find remote data using timechart

huangyingleo — Thu, 05 Jan 2017 08:22:23 GMT

Hi, Martin,
But how to "make sure the field is actually extracted corrently"? I think I can generate events by "index=os sourcetype=vmstat" like picture 1, which means the raw data is collected.

Re: Cannot find remote data using timechart

martin_mueller — Thu, 05 Jan 2017 08:47:08 GMT

Run index=os sourcetype=vmstat in smart mode and see if the field appears in the left bar.

Re: Cannot find remote data using timechart

huangyingleo — Thu, 05 Jan 2017 09:03:45 GMT

Hi, Martin,
Can you take a look at this screenshot?

Re: Cannot find remote data using timechart

huangyingleo — Thu, 05 Jan 2017 09:07:38 GMT

Hi, here is the outcome.

Search command: index=os sourcetype=vmstat host=PC2

Selected Fields

a   host    1   
a   source  1   
a   sourcetype  1

Interesting Fields

a   dest    1   
a   eventtype   1   
a   index   1   
#   linecount   1   
a   loadAvg1mi  1   
a   punct   1   
a   splunk_server   1   
a   src 1   
a   tag 8   
a   tag::eventtype  8   
a   timestamp   1

Re: Cannot find remote data using timechart

martin_mueller — Thu, 05 Jan 2017 09:55:32 GMT

That says loadAvg1mi is a string value (see the "a"), you can't compute an average of strings.

What's the value of the field?

Re: Cannot find remote data using timechart

Arun_N_007 — Thu, 05 Jan 2017 10:07:25 GMT

Try to convert loadAvgIni to number using

..|eval loadAvgIni=tonum(loadAvgIni)|timechart avg(loadAvgIni)

And then do timechart it should work...

You can check loadAvgIni is extracted or not using

index=os host=PC2 sourcetype=vmstat loadAvgIni=*

If it is not returning any data you must extract the field first.

Use multikv to extract values.

index=os host=PC2 sourcetype=vmstat|multikv|timechart avg(loadAvgIni)

Regards,
Arun N

Re: Cannot find remote data using timechart

huangyingleo — Mon, 09 Jan 2017 01:18:40 GMT

Yes, Martin,
You are right! I love you!

Re: Cannot find remote data using timechart

huangyingleo — Mon, 09 Jan 2017 01:20:30 GMT

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.

Re: Cannot find remote data using timechart

huangyingleo — Mon, 09 Jan 2017 01:21:03 GMT

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.