topic How to chart each data point by another field without any stats function transformation? in Splunk Search

How to chart each data point by another field without any stats function transformation?

albyva — Sun, 07 Sep 2014 15:12:40 GMT

I think I'm having a brain fart. I want to chart each data point by an address. I don't want (avg, sum, max, min, etc). I want a point on a chart for each dataset. What command am I'm missing? I tried

| chart values(DATA) by address ...and all I get is all the data in a block per address.

Thanks,

data address

1 address-a

2 address-a

3 address-a

1 address-b

2 address-b

3 address-b

Re: How to chart each data point by another field without any stats function transformation?

martin_mueller — Sun, 07 Sep 2014 15:21:27 GMT

What do your events look like, and what should the resulting chart look like?

Re: How to chart each data point by another field without any stats function transformation?

albyva — Sun, 07 Sep 2014 15:27:27 GMT

Each event is timestamped. Specifically it's the "oddsets" from an NTP log. I want my chart to plot a point for each offset by the address. So that over time you can see the offset changes for each address that is reported.

Re: How to chart each data point by another field without any stats function transformation?

martin_mueller — Sun, 07 Sep 2014 18:12:44 GMT

If you really want a point for each event then you can do something like this:

base search | xyseries _time address data

I think that's an ugly approach though, mostly because that does not give you a linear time x-axis. Silence in your data disappears in the chart instead of displaying space for that silence.

Do you really need a point for each event? Maybe you just want more points than you get by default (up to 100), consider increasing that like this:

base search | timechart bins=500 avg(data) by address

Interested in high values, but don't want to be misled by single huge maximums? Consider using a percentile function such as p95(data) that gives you the 95th percentile value for each time bucket, an often more useful "high" value than a simple max().

If you have drilldowns into single addresses you could consider putting max(data) avg(data) min(data) into one chart... just don't do that by address for many addresses though, the chart would get very messy.

Re: How to chart each data point by another field without any stats function transformation?

albyva — Sun, 07 Sep 2014 18:23:13 GMT

Thanks.. The xyseries is just what I was looking for... The timechart or chart means I still have to look at my data as average, max, etc and I wanted the actual value and nothing else.