Solved: Re: Extract_values from String and plot the graph ...

irfanh · ‎03-19-2014

Hi,I have the following string which is continuously changing its type1,2,3 values ..

"msg count 95, time 2000111, rate: type1=0 type2=9.5 type3=0 type4=0 type5=8"

the value of {type1,type2,type3,type4,type5 } and time is changing in each message.

I want to plot a Bar-chart graph in which time is on X-axis and {type1, type2,..} value is on y-axis
how can I extract all the " typen=value" and plot the graph accordingly to value with my own time field also..

Thanks.

somesoni2 · ‎03-19-2014

Try this:- I am not sure what format your time value is, So I am just taking this

your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp

View solution in original post

somesoni2 · ‎03-19-2014

Try this:- I am not sure what format your time value is, So I am just taking this

your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp

irfanh · ‎03-19-2014

Wo0W Great !

Thanks alot man.it works fine in tabular form extract the values of type and also show the time-stamp..

i just want to show the type field which is {20.23.25.50.56}
and its values on the bar graph. Does it works ?? on graph it shows some thing strange..

thanks again
..

lguinn2 · ‎03-19-2014

You could do this

yoursearchhere
| table timestamp type*

And then choose the type of chart that you want in the "Visualization" tab.

This assumes that you do not need to summarize the data. If you need to calculate the values for a span of an hour, for example:

yoursearchhere
| eval timestamp=strptime(yourtimestamp,"%format")
| bucket timestamp span=1h
| chart avg(type*) as type* by timestamp

This assumes that your timestamp field is not in Linux epoch time format. If it is, you can leave off the eval command. "%format" depends on the format of your timestamp - you can get more information here: Splunk common time format variables

irfanh · ‎03-19-2014

Thanks Lguinn, for your reply 🙂 Actually my string has these values whic is changing

time 2000111, rate: 20=3 22=9.5 25=0 26=2
time 2000137, rate: 20=7 22=5.6 25=3 26=0
time 2000092, rate: 20=0 22=9.5 25=0 26=0

I want to plot a real-time graph which look like this. a) Each time parse the sting and Extract the values of {20,22,25,26,50,51} and store it to some variables like 20=x,22=y,25=z..so on. and then plot a bar chart according to(X,Y,Z) and time in the string as refernece..

I don't know how to extact values and store them into variables
a Please help ..
thanks again

Extract_values from String and plot the graph accordingly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation