Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to query key values and draw timechart?

pavan257
New Member
‎07-18-2015 04:56 PM

Here is the sample data.

RED: 2086
GREEN: 1579
WHITE: 159
PINK: 348
ORANGE: 0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-19-2015 03:45 PM

This should do it:

...  | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color

This makes your X-axis interval 1 hour.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-19-2015 03:45 PM

This should do it:

...  | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color

This makes your X-axis interval 1 hour.

0 Karma
Reply
Solved! Jump to solution

pavan257
New Member
‎07-19-2015 04:59 PM

No. this query just displaying the events but not the visualization, all these events come through a custom shell script which we made output as "sourcetype = weblogic_stdout" not sure, if that matters here.

0 Karma
Reply
Solved! Jump to solution

pavan257
New Member
‎07-20-2015 06:54 PM

After further cleanup of y event.. this worked perfectly. Thanks Woodcock.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-19-2015 05:04 PM

After you run the search, in the UI click on the Visualization tab and create what ever visualization you need.....

Reply
Solved! Jump to solution

pavan257
New Member
‎07-19-2015 05:10 PM

I know, but this query was not representing any timechart to visualize.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-19-2015 07:43 PM

You are going to have to replace ... with your base search. I tested this on your sample data: it works just fine.

0 Karma
Reply
Solved! Jump to solution

pavan257
New Member
‎07-20-2015 04:38 PM 
...  | rex max_match=0 field=_raw "(?[^:]+:\s*\d+)" | mvexpand lineData | rex field=_raw "(?[^:]+):\s*(?\d+)" | timechart span=1h sum(count) AS count BY color

with this query I am able to see only "RED", but I want to see other lines (GREEN, WHITE...) to be charted.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-18-2015 10:28 PM

Is this 1 event or 5?

0 Karma
Reply
Solved! Jump to solution

pavan257
New Member
‎07-19-2015 06:33 AM

This was one event.

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-19-2015 02:34 PM

does your event have a timestamp? Do all the events contain all those fields? Just those fields? more? Less?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

pavan257
New Member
‎07-19-2015 03:21 PM

Yes, I do have time stamp and all the events will have all these fields with different values.

0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...