Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing logs of multiple types for visualizing in Dashboard

cpramuk
Explorer
‎11-10-2021 04:16 PM

I hope you can help me with a dashboard line  visualization I’m trying to make.

Here is an example of our logs, which keep count at the end of each line :
[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

 

How can I chart three lines graph in one splunk dashboard panel to represent these numbers? I feel like I'm close but I've hit a wall and cannot find any documentation to help.

The query below only returns the “1d” type. Is it possible to chart the three types?

rex field=_raw  "newteachers:(?<type>.*) (?<num>.*)"  | chart last(num) by type

 

Thanks for any help

 

Christian

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpramuk
Explorer
‎11-11-2021 10:29 AM

That is so great, thank you for helping me!! 

While I have your attention. How can I exclude a type from the query, such as "total", and only dashboard the other 3 types

[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

[db]: 00:05:01.000: newcoteachers:total 1884

I owe you a pizza! Thanks!

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2021 01:59 AM

Hi

you can do it this way

| makeresults 
| eval _raw = "[db]: 00:05:01.000: newcoteachers:1d 115
[db]: 00:05:01.000: newcoteachers:7d 528
[db]: 00:05:01.000: newcoteachers:30d 1884" 
| multikv noheader=t 
| fields _raw 
| rex "newcoteachers:(?<type>\w+)\s+(?<num>\d+)" 
| chart last(num) by type

r. Ismo 

Reply
Solved! Jump to solution
Solution

cpramuk
Explorer
‎11-11-2021 10:29 AM

That is so great, thank you for helping me!! 

While I have your attention. How can I exclude a type from the query, such as "total", and only dashboard the other 3 types

[db]: 00:05:01.000: newcoteachers:1d 115

[db]: 00:05:01.000: newcoteachers:7d 528

[db]: 00:05:01.000: newcoteachers:30d 1884

[db]: 00:05:01.000: newcoteachers:total 1884

I owe you a pizza! Thanks!

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2021 12:47 PM
Nice to help you.
You should look regex and where command on this page https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
0 Karma
Reply
Solved! Jump to solution

cpramuk
Explorer
‎11-11-2021 01:40 PM

Yes, regex did it. Thanks for the pointers!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...