Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart with KG and MB in Y -axis

pudanelilita
Explorer
‎08-28-2019 08:16 AM

Hi,
I'm facing issue with chart which displays KG and MB, where MB are bigger by the number, and it shows wrong chart:
Green line needs to be above.

event examples:
Heap: 13.2G
Heap: 6208.6M

How make, that MB are down in the chart?
alt text

My search:
| rex Heap:\s(?<HeapNum>\d+\.\d)\w | search HeapNum!=" " | eval critical=15 | table _time HeapNum critical

Tags (1)
Preview file
40 KB
Preview file
30 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-28-2019 04:08 PM

You should first define what is the base unit you want to work with (Kb, Mb, Gb, etc) . For this lets assume Mb

| rex "Heap:\s(?<HeapNum>[\d\.]+)(?<unit>\w+)"
| search HeapNum!=" " 
| eval HeapNum = case(unit="K", HeapNum/1000,unit="M", HeapNum,unit="G", HeapNum*1000)
| eval critical=15 
| table _time HeapNum critical

You can change the calculations in the case depending on the selected unit. And then also revise the critical value accordingly.

Hope this helps.

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-28-2019 04:08 PM

You should first define what is the base unit you want to work with (Kb, Mb, Gb, etc) . For this lets assume Mb

| rex "Heap:\s(?<HeapNum>[\d\.]+)(?<unit>\w+)"
| search HeapNum!=" " 
| eval HeapNum = case(unit="K", HeapNum/1000,unit="M", HeapNum,unit="G", HeapNum*1000)
| eval critical=15 
| table _time HeapNum critical

You can change the calculations in the case depending on the selected unit. And then also revise the critical value accordingly.

Hope this helps.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pudanelilita
Explorer
‎08-29-2019 12:06 AM

@diogofgm it gives me error:
Error in 'SearchParser': Missing a search command before '\'. Error at position '130' of search query 'search index="adop-e-prod-jira" source="/mnt/hostl...{snipped} {errorcontext = [\d.]+)(?

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-29-2019 04:25 AM

it was missing the rex quotes :S I've updated my answer.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pudanelilita
Explorer
‎08-29-2019 04:58 AM

Thank you, @diogofgm that helped!

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-28-2019 11:19 AM

assuming HeapNum is your MB field | eval HeapNum=round((HeapNum/1000),2)

0 Karma
Reply
Solved! Jump to solution

pudanelilita
Explorer
‎08-29-2019 12:05 AM

@Sukisen1981 It also round 13G 😞
but with 3400M it works good!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...