Dashboards & Visualizations

How to Split column chart by values?

Sept11
Loves-to-Learn Lots

Hello,

 

sourcetype=reactorjob index=syslog
| rex field=_raw "\[(?<cycle_name>[^\]]+)\]"
| rex field=_raw "\[(?<duration_ms>[^\]]+)ms\]"
| rex field=_raw max_match=0 "(?<step>\d+): (?<duration>\d+)"
| stats avg(duration_ms) by cycle_name

 



It creates simple column chart where I see how long one cycle was running.

But I also have something like that in data, where first number before ":" is step and after ":" is time how long that step was running.

 

run time: 1: 55    2: 22    3: 17    4: 14    5: 5     6: 14    7: 30    9: 5889  10: 6     11: 2986  12: 17    

 



If you combine <duration> of all steps you will get the same value as <duration_ms>

So I would like to split column of one <cycle_name> by <duration> in vizualization

Sept11_0-1692715927987.png

 

Is it possible? Thank you 

Labels (3)
Tags (1)
0 Karma

Sept11
Loves-to-Learn Lots

or maybe correction "If you combine <duration> of all steps you should* get the same value as <duration_ms>"

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here's an example using 5 cycles of simulated data

| makeresults count=5
| streamstats c
| eval cycle="Cycle ".c
| eval _raw=printf("run time: 1: %d    2: %d    3: %d    4: %d    5: %d     6: %d    7: %d    9: %d  10: %d     11: %d  12: %d", (random() % 55) + 1, (random() % 22) + 1, (random() % 17) + 1, (random() % 14) + 1, (random() % 5) + 1, (random() % 14) + 1, (random() % 30) + 1, (random() % 5889) + 1, (random() % 6) + 1, (random() % 2986) + 1, (random() % 17) + 1)
| rex field=_raw max_match=0 "(?<timing_data>\d+: \d+)"
| fields - _time _raw c
| mvexpand timing_data
| rex field=timing_data max_match=0 "(?<step>\d+): (?<duration>\d+)"
| eval step=printf("%02d", step)
| chart limit=0 max(duration) over cycle by step

 so, if you extract the timing info step+duration as a single field then mvexpand it and then extract step and duration, you can chart it. Note I printf step to make it a consistent 2 digits, so it ends up in correct column order. Display it as a stacked bar chart.

0 Karma

Sept11
Loves-to-Learn Lots

I mean every time I run it in latest 15 minutes there is still same cycle at the end of displayed chart.

0 Karma

Sept11
Loves-to-Learn Lots

Thank you, that really helpd. But why chart is not showing the latest cycle? It look like it is choosed randomly. I mean data are flowing almost every 2-3 minutes. how to set, that the latest cycle will be on the very right in display?

Thank you.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

when you do the chart command

| chart limit=0 max(duration) over cycle by step

the order of rows will be in the order the the cycle column, which then influences the order of the columns in the chart. If this is not the order you want, then you will need to sort the results on the cycle column. That will then mean you need to ensure your cycle column can be sorted sensibly so that it will sort as you need.

If that means you need to incorporate a _time element to the cycle name then you can do this 

| eval cycle=_time.":".cycle
| chart limit=0 max(duration) over cycle by step
| eval cycle=replace(cycle, "\d+:", "")

which will add the time field as a prefix to the cycle field, so it's sorted in time order and then you just remove the time part afterwards

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...