Solved: Visualization not working after extracting values ...

srizan · ‎06-15-2020

Raw Value:

logtype=audit 2020-06-15T12:25:52,650| tid:SDFGH3456gtbhjcfdt$%| AUTHN_REQUEST| | 38 | | 123| | asdxc| AS| ss| | | 40

Query:

index = "PF.log" 
| eval fields=split(_raw,"|")
| eval response=mvindex(fields,13)
| timechart values(response) BY host

I am interested in the last value which is 40 in this example. I tried converting the value tonumber and tried other conversion techniques which doesn't seem to work for some reason.

niketn · ‎06-16-2020

@srizan you would need to add trim if you are plotting it on chart as regular split with your data will have space around response value.

| eval response=trim(mvindex(fields,13))

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-16-2020

@srizan you would need to add trim if you are plotting it on chart as regular split with your data will have space around response value.

| eval response=trim(mvindex(fields,13))

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

srizan · ‎06-16-2020

@niketn Thank you! That worked!! I was using rex to extract the value but this seems to be cleaner approach.

richgalloway · ‎06-15-2020

If you switch to the Statistics tab do you see data? Are the _time, response, and host fields present?

---
If this reply helps you, Karma would be appreciated.

srizan · ‎06-15-2020

I was able to work around using rex to extract the value. Still unsure why conversion did not work.

Visualization not working after extracting values from raw data

timechart

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!