topic Re: Creating Stack-able graphs for 2 fields in Splunk Search

Creating Stack-able graphs for 2 fields

bharpur183 — Tue, 29 Sep 2020 11:24:36 GMT

These are my events :
Based on the below info I want to crate a stackable bar graph that shows 2 errors "luchip" and "xmchip" in different colors

10/11/16

7:13:37.000 AM

2016/10/11 07:13:37| 2767| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:37 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **xmchip*(0): li0: received a parcel from the hsl2 interface with eope

10/11/16
7:13:32.000 AM

2016/10/11 07:13:32| 2766| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:32 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(*0) ppe_12 errors lmem data error 0x0000026c

10/7/16
2:49:35.000 PM

2016/10/07 14:49:35| 2902| 2672| 20711| DCNETWORK| DCNETWORK| PNYOD2-J2|14:49:34 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnyod2-j2-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(5) ppe_4 errors lmem data error 0x00000127

10/6/16
10:07:26.000 AM
*2016/10/06 10:07:26| 6713| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:26 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 **xmchip(*1): wo1: packet error - error packets 1, stream 29

10/6/16
10:07:21.000 AM
*2016/10/06 10:07:21| 6709| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:21 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 cadg7441: xmchip(1): ddrif: checksum error for wo1 - channel 6, address 0x4a040, checksum errors 1, checksum poison count 0

Re: Creating Stack-able graphs for 2 fields

sundareshr — Wed, 12 Oct 2016 03:19:55 GMT

Try this

base search | rex "(?<err_type>xmchip|luchip)" | timechart count by err_type

*UPDATED*

base search | rex "(?<err_type>xmchip|luchip)" | chart count over netdevice by err_type

Re: Creating Stack-able graphs for 2 fields

gokadroid — Wed, 12 Oct 2016 03:40:21 GMT

Assuming that "dc-core: almn-core-wp:" always appear before fpcN (xmchip OR luchip) and timestamps are present for indexed data then you can try below:

Take care to remove the space in the tags < fpc> and < chipType> before running the below command



yourBaseSearchToGetAllAboveLogs

| rex field=_raw ".dc-core: almn-core-wp:\s+(?< fpc>[^\s]+)\s?(?< chipType>[^\s\(]+)"

|timechart count by chipType

Next:
Choose the visualization option of barchart.
The bars for luchip and xmchip will appear next to each other in different color.
On clicking the paintbrush icon of "Format" choose the "stacked" option for barchart if you want bars to be stacked one on top of other.
If you do not stack then bars will be next to each other but still in different colour too.

Note: Only the chip name (xmchip or luchip) is extracted by regex. I have ignored the * and the "(number)" from the chip name. (But that can be extracted too)

Re: Creating Stack-able graphs for 2 fields

bharpur183 — Wed, 12 Oct 2016 19:48:55 GMT

Thanks .

But the issue now is "if I use the above logic , it creates the stackable graph , but it removes the names of the devices (netdevice) . If I use the names then the graph does not shwo up as stacked for both xmchip and luchip

Re: Creating Stack-able graphs for 2 fields

sundareshr — Wed, 12 Oct 2016 20:05:45 GMT

Try chart instead of timechart. See updated answer

Re: Creating Stack-able graphs for 2 fields

bharpur183 — Wed, 12 Oct 2016 20:34:22 GMT

That worked.
Thanks a lot.