Getting Data In

How to query key values and draw timechart?

pavan257
New Member

Here is the sample data.

RED: 2086
GREEN: 1579
WHITE: 159
PINK: 348
ORANGE: 0

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

This should do it:

...  | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color

This makes your X-axis interval 1 hour.

View solution in original post

0 Karma

woodcock
Esteemed Legend

This should do it:

...  | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color

This makes your X-axis interval 1 hour.

0 Karma

pavan257
New Member

No. this query just displaying the events but not the visualization, all these events come through a custom shell script which we made output as "sourcetype = weblogic_stdout" not sure, if that matters here.

0 Karma

pavan257
New Member

After further cleanup of y event.. this worked perfectly. Thanks Woodcock.

0 Karma

MuS
SplunkTrust
SplunkTrust

After you run the search, in the UI click on the Visualization tab and create what ever visualization you need.....

pavan257
New Member

I know, but this query was not representing any timechart to visualize.

0 Karma

woodcock
Esteemed Legend

You are going to have to replace ... with your base search. I tested this on your sample data: it works just fine.

0 Karma

pavan257
New Member
...  | rex max_match=0 field=_raw "(?[^:]+:\s*\d+)" | mvexpand lineData | rex field=_raw "(?[^:]+):\s*(?\d+)" | timechart span=1h sum(count) AS count BY color

with this query I am able to see only "RED", but I want to see other lines (GREEN, WHITE...) to be charted.

0 Karma

woodcock
Esteemed Legend

Is this 1 event or 5?

0 Karma

pavan257
New Member

This was one event.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

does your event have a timestamp? Do all the events contain all those fields? Just those fields? more? Less?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

pavan257
New Member

Yes, I do have time stamp and all the events will have all these fields with different values.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...