Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is query not plotting multi-series line chart?

Jeet
Explorer
‎09-01-2022 06:03 AM 
| regex "message.message"="Total count XXXXXX: |Total rows YYYYYY: " | rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:(?<msg4>[^:]*)($|\{)" | eval dtonly=strftime(_time, "%Y%m%d") | chart first(msg4) OVER dtonly BY msg3

I get the stats but not the visualization.

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2022 08:46 AM

It looks like you might have a space between the : and the numbers. The values are left aligned, indicating a string rather than a numeric. Try accounting for the space (if it is there) and only extract digits for msg4.

| rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:\s*(?<msg4>\d*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Jeet
Explorer
‎09-01-2022 07:55 AM

Is that what you are looking for? Sorry! I am new to Splunk.

0 Karma
Reply
Solved! Jump to solution

Jeet
Explorer
‎09-01-2022 07:12 AM

It's a glue job log output, something like this. one run per day.

 

INFO:__main__:Total rows: 893

...

INFO:__main__:Total count in segments schema: 18504

0 Karma
Reply
Solved! Jump to solution

BlueSocket
Communicator
‎09-01-2022 08:22 AM

@Jeet, you might want to check the maximum number of values that are supported by the visualization that you have selected to output. I have had this happen to me - I can see the (>50,000) values, but the visualization only supports 50,000 rows. That >18,000 might be too high.

0 Karma
Reply
Solved! Jump to solution

Jeet
Explorer
‎09-01-2022 08:28 AM

Data to be plotted won't be more than 50 rows. Enclosing stat output for 2 rows which is not getting plotted.

 

Jeet_0-1662046094574.png

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2022 08:46 AM

It looks like you might have a space between the : and the numbers. The values are left aligned, indicating a string rather than a numeric. Try accounting for the space (if it is there) and only extract digits for msg4.

| rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:\s*(?<msg4>\d*)"
0 Karma
Reply
Solved! Jump to solution

Jeet
Explorer
‎09-01-2022 08:54 AM

That did the trick. Thank you!!

0 Karma
Reply
Solved! Jump to solution

BlueSocket
Communicator
‎09-01-2022 08:40 AM

So.... What do you see when you switch to the visualization and which visualization are you trying to use?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2022 07:03 AM

Can you share some events in a code block </> so we can better see what you are dealing with?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...