Solved: Newbie question on a search string to produce a li...

cmodyssey · ‎12-30-2015

Hi,

I've never written a search string for Splunk and some of the answers that I think are for my question really confuse me, so pleae bear with me, as this is probably a really dumb question.

I've got the very beginning of my search: source="web_input://CyberQ

Which produces the following data:

match_cook_temp="718" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="613.86013031"
match_cook_temp="719" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="670.753002167"
match_cook_temp="721" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="582.855939865"
match_cook_temp="721" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="580.070018768"
match_cook_temp="722" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="614.03298378"
match_cook_temp="721" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="566.085100174"
match_cook_temp="725" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="915.005922318"
match_cook_temp="719" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="616.425037384"
match_cook_temp="719" raw_match_count="5" response_size="1235" match_output_percent="100" response_code="200" match_food1_temp="OPEN" match_cook_set="3560" encoding="ascii" match_food1_set="1670" request_time="622.943162918"

I would like to have a graph, that shows the following fields on a Y axis: cook_temp,cook_set,food1_temp,food1_set,output_percent
For the X axis, I'm after this to be time.

An example of what I'm after shown in Excel is:

Please could I have a hand with writing the search statement that would generate this.

Thanks,

Richard.

sundareshr · ‎12-30-2015

Richard, I assume your data has a time field. The following command should give you what you're looking for

source="web_input://CyberQ | timechart span=1m max(cook_temp) as cook_temp, max(cook_set) as cooke_set, max(food1_temp) as food_temp, max(food1_set) as food_set, max(output_percent) as output

You can change the max to any of these stats functions

http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonStatsFunctions

View solution in original post

cmodyssey · ‎12-31-2015

Hi,

Thanks for everyone's help, I have been playing with that search syntax and refined it to get me a nice looking chart.

Here is the result of my BBQing earlier today and the Splunk search and chart:

cmodyssey · ‎01-03-2016

It's been a good learning experience, as I now know that you set the BBQ or oven at a certain temperature for a certain time to cook a joint of meat.
That is what's calculated to get the meat itself to a cooked temperature.
To get the settings and measurements into Splunk was also a learning experience as I'd never used Splunk before either but really hoped it was possible, so I could see the temperatures rise over time.
I was a great holiday time project!

jkat54 · ‎01-02-2016

See now you're splunking life at it's finest!

jplumsdaine22 · ‎01-01-2016

Woohoo! Splunk BBQ!

jplumsdaine22 · ‎12-31-2015

I've been following your BBQ saga for a while now, can't wait to see how it turns out 🙂

I absolutely recommend you do the splunk tutorial here http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

The read this: http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/

Then follow up with this: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/HowIndexingWorks

jkat54 · ‎01-02-2016

lol, the community is hungry now thanks!

sundareshr · ‎12-30-2015

Richard, I assume your data has a time field. The following command should give you what you're looking for

source="web_input://CyberQ | timechart span=1m max(cook_temp) as cook_temp, max(cook_set) as cooke_set, max(food1_temp) as food_temp, max(food1_set) as food_set, max(output_percent) as output

You can change the max to any of these stats functions

http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonStatsFunctions

Newbie question on a search string to produce a line graph of multiple Y values

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!