Hi,I have the following string which is continuously changing its type1,2,3 values ..
"msg count 95, time 2000111, rate: type1=0 type2=9.5 type3=0 type4=0 type5=8"
the value of {type1,type2,type3,type4,type5 } and time is changing in each message.
I want to plot a Bar-chart graph in which time is on X-axis and {type1, type2,..} value is on y-axis
how can I extract all the " typen=value" and plot the graph accordingly to value with my own time field also..
Thanks.
Try this:- I am not sure what format your time value is, So I am just taking this
your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp
Try this:- I am not sure what format your time value is, So I am just taking this
your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp
Wo0W Great !
Thanks alot man.it works fine in tabular form extract the values of type and also show the time-stamp..
i just want to show the type field which is {20.23.25.50.56}
and its values on the bar graph. Does it works ?? on graph it shows some thing strange..
thanks again
..
You could do this
yoursearchhere
| table timestamp type*
And then choose the type of chart that you want in the "Visualization" tab.
This assumes that you do not need to summarize the data. If you need to calculate the values for a span of an hour, for example:
yoursearchhere
| eval timestamp=strptime(yourtimestamp,"%format")
| bucket timestamp span=1h
| chart avg(type*) as type* by timestamp
This assumes that your timestamp field is not in Linux epoch time format. If it is, you can leave off the eval
command. "%format"
depends on the format of your timestamp - you can get more information here: Splunk common time format variables
Thanks Lguinn, for your reply 🙂 Actually my string has these values whic is changing
time 2000111, rate: 20=3 22=9.5 25=0 26=2
time 2000137, rate: 20=7 22=5.6 25=3 26=0
time 2000092, rate: 20=0 22=9.5 25=0 26=0
I want to plot a real-time graph which look like this. a) Each time parse the sting and Extract the values of {20,22,25,26,50,51} and store it to some variables like 20=x,22=y,25=z..so on. and then plot a bar chart according to(X,Y,Z) and time in the string as refernece..
I don't know how to extact values and store them into variables
a Please help ..
thanks again