Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

xyseries, reporting on multiple data series confusion

pde23
Explorer
‎03-18-2011 05:27 PM

I have log entries that contain, among other things, fields called AcctID and exec_time. I have a user who wants to do, essentially:

sourcetype=statslog | timechart count, avg(exec_time) by AcctID

Since I know this to not be directly possible in 4.1, I went to the strategy laid out in http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries. My search ends up being:

host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0 
| stats count as cnt, avg(exec_time) as avgexec by AcctID 
| eval s1="count avgexec" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) | eval series=AcctID+":"+s1

And I get results as expected, like:

     AcctID cnt  avgexec     s1        series        yval 
1   7490728 23  391.826087  count   7490728:count   23
2   7490728 23  391.826087  avgexec 7490728:avgexec 391.826087
3   5459551 22  193.954545  count   5459551:count   22
4   5459551 22  193.954545  avgexec 5459551:avgexec 193.954545

But when I add the final | xyseries _time,series,yval to the search, I get "No results found"

What am I missing?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-19-2011 07:10 AM

I just walked through the docs myself using some access data use cases and it looks to me like there are mistakes in the documentation.

The docs give this example: 

index=application_servers 
| stats sum(handledRequests) as hRs, avg(sessions) as ssns by source 
| eval s1="handledReqs sessions" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns) 
| eval series=host+":"+s1 
| xyseries _time,series,yval

The main mistake is that the stats should be by source, _time not just by source. Without a _time field coming out of the stats clause, the xyseries would indeed yield no results because there wouldnt be any _time fields at that point.

There's also a second mistake although it's minor and it doesnt seem to have tripped you up at all -- the eval series=host+":"+s1 should be eval series=source+":"+s1

I think you were following the docs perfectly, but the docs themselves got garbled at some point. It happens.

So try this: 

host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0 
| stats count as cnt, avg(exec_time) as avgexec by AcctID, _time
| eval s1="count avgexec" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) 
| eval series=AcctID+":"+s1 
| xyseries _time, series, yval

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-19-2011 07:10 AM

I just walked through the docs myself using some access data use cases and it looks to me like there are mistakes in the documentation.

The docs give this example: 

index=application_servers 
| stats sum(handledRequests) as hRs, avg(sessions) as ssns by source 
| eval s1="handledReqs sessions" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns) 
| eval series=host+":"+s1 
| xyseries _time,series,yval

The main mistake is that the stats should be by source, _time not just by source. Without a _time field coming out of the stats clause, the xyseries would indeed yield no results because there wouldnt be any _time fields at that point.

There's also a second mistake although it's minor and it doesnt seem to have tripped you up at all -- the eval series=host+":"+s1 should be eval series=source+":"+s1

I think you were following the docs perfectly, but the docs themselves got garbled at some point. It happens.

So try this: 

host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0 
| stats count as cnt, avg(exec_time) as avgexec by AcctID, _time
| eval s1="count avgexec" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) 
| eval series=AcctID+":"+s1 
| xyseries _time, series, yval
Reply
Solved! Jump to solution

pde23
Explorer
‎03-21-2011 05:08 PM

That's the ticket. Thanks, Doctor Nick!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-10-2017 12:55 PM

Shouldn't the _time be binned before that first stats command?

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-21-2011 05:04 AM

gerald's the best. 😃

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-20-2011 05:46 PM

docs are fixed.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...