topic Re: creating Line chart with two custom fields in Splunk Search

creating Line chart with two custom fields

juancarlos_pola — Mon, 28 Sep 2020 17:44:40 GMT

Hello, I am quite new using Splunk and I have a question, that might be already be solved before, but I just want to make sure.

I have two fields (numerical) extracted from a several log files from a server: load_avg & date_time. These log files are printed in 3 columns and I have taken the last 2 columns as each field (both numerical).
What I would like to do is to create a Line chart that has as the X axis (abscissa) the date_time and in the Y axis (ordinate) the load_avg (load average) in a way that each date_time coincides with each corresponding load_avg.

Please, let me know if you need any further information.

Thanks in advance.

Re: creating Line chart with two custom fields

sk314 — Tue, 30 Sep 2014 06:56:56 GMT

Have you tried using the chart command? http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/chart

like so: ... | chart avg(load_time) over date_time

You could look at the bucket options and use timechart command too.

Re: creating Line chart with two custom fields

juancarlos_pola — Tue, 30 Sep 2014 07:09:14 GMT

Thank you for your response sk314.
And, pardon my ignorance but, when I define avg() does it return the real value? or the average comparing with all the other values? I would like to get the numerical value as it is.

Please let me know if I am right or wrong.

Thank you

Re: creating Line chart with two custom fields

sk314 — Mon, 28 Sep 2020 17:44:42 GMT

It will return average of your load average....

on second thoughts (and further reading of the documentation!), May be what you need is the xyseries.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries

You may have to create a dummy field with the Y-axis label like so:

... | eval y_field = "load_times" | xyseries date_time y_field, load_time

I haven't used this but I have a feeling this will suit your case.