Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing logs of multiple types for visualizing in Dashboard

cpramuk
Explorer
‎11-10-2021 04:16 PM

I hope you can help me with a dashboard line  visualization I’m trying to make.

Here is an example of our logs, which keep count at the end of each line :
[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

 

How can I chart three lines graph in one splunk dashboard panel to represent these numbers? I feel like I'm close but I've hit a wall and cannot find any documentation to help.

The query below only returns the “1d” type. Is it possible to chart the three types?

rex field=_raw  "newteachers:(?<type>.*) (?<num>.*)"  | chart last(num) by type

 

Thanks for any help

 

Christian

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpramuk
Explorer
‎11-11-2021 10:29 AM

That is so great, thank you for helping me!! 

While I have your attention. How can I exclude a type from the query, such as "total", and only dashboard the other 3 types

[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

[db]: 00:05:01.000: newcoteachers:total 1884

I owe you a pizza! Thanks!

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2021 01:59 AM

Hi

you can do it this way

| makeresults 
| eval _raw = "[db]: 00:05:01.000: newcoteachers:1d 115
[db]: 00:05:01.000: newcoteachers:7d 528
[db]: 00:05:01.000: newcoteachers:30d 1884" 
| multikv noheader=t 
| fields _raw 
| rex "newcoteachers:(?<type>\w+)\s+(?<num>\d+)" 
| chart last(num) by type

r. Ismo 

Reply
Solved! Jump to solution
Solution

cpramuk
Explorer
‎11-11-2021 10:29 AM

That is so great, thank you for helping me!! 

While I have your attention. How can I exclude a type from the query, such as "total", and only dashboard the other 3 types

[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

[db]: 00:05:01.000: newcoteachers:total 1884

I owe you a pizza! Thanks!

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2021 12:47 PM
Nice to help you.
You should look regex and where command on this page https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
0 Karma
Reply
Solved! Jump to solution

cpramuk
Explorer
‎11-11-2021 01:40 PM

Yes, regex did it. Thanks for the pointers!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...