Construct multivariable histogram chart?

cool_pbenjamin — Fri, 03 Feb 2023 00:32:02 GMT

I have a search along these lines

"duration: " | rex field=host "(?P<host_type>[my_magic_regex])" | rex "duration: (?P<duration_seconds>[0-9]+)" | chart count by duration_seconds host_type limit=0 span=1.0

This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly.
The lines have such a different scale that overlaying them on the same axis is worthless.

I need to either
1. create a different chart for each host_type (and not worry about the actual value of count)
2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever)

I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.

Re: Construct multivariable histogram chart?

bowesmana — Fri, 03 Feb 2023 00:55:05 GMT

You could do trellis view with independent y-axis, but it depends on the number of variants you have as to whether it looks good or not.

Alternatively normalising all data can be done with

| chart count by duration_seconds host_type limit=0 span=1.0 | addtotals | eval Total=Total-coalesce(tonumber(duration_seconds),0) | foreach * [ eval "<<FIELD>>"=if("<<MATCHSTR>>"="duration_seconds" OR "<<MATCHSTR>>"="Total", '<<FIELD>>', '<<FIELD>>'/Total*100) ] | fields - Total

it's a bit messy with doing just addtotals for all fields, as that adds all totals and presumably your duration_seconds is numeric, so it will get included in the total counts. If you know host_type values, you can use those instead to avoid the "if" in the foreach.

topic Re: Construct multivariable histogram chart? in Splunk Search

Construct multivariable histogram chart?

Re: Construct multivariable histogram chart?