Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Graphing negative values OR converting the values to positive

dbcase
Motivator
‎05-25-2018 10:38 AM

Hi,

I'm trying to do a time chart of RSSI values (typically negative values). I have a query that extracts the values and puts them into a table (just for troubleshooting). I'm also trying to convert the values to positive using the abs function but it keeps coming up blank. I've checked using isstr to see if the values were a string and needed to be converted but the function returned no (it is not a string). Can't figure out what the heck is wrong here. Thoughts?

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|eval n=abs(rssiid)|table n rssiid

Resulting table. As you can see the rssiid comes across just fine but n (where I'm doing the eval/abs) is null
alt text

Tags (1)
Preview file
21 KB
0 Karma
Reply

somesoni2
Revered Legend
‎05-25-2018 11:11 AM

Most eval functions doesn't work on multivalued fields, which your rssid field is. Also, you can't chart the multivalued field. So in order to apply the functions or charting, you'd expand your multivalued field as single value using mvexpand command. There is no special processing to chart the negative numbers.

Now if you've more than one, related multivalued fields, you'll concatenate them into single multivalued field using mvzip, expand it using mvexpand and then split it again, similar to what's being done in this post
http://www.bbosearch.com/commands/mvexpand
https://answers.splunk.com/answers/301140/how-can-i-use-the-eval-function-mvzip-with-8-attri.html

0 Karma
Reply

dbcase
Motivator
‎05-29-2018 08:30 AM

ah ok that helped, still getting some odd behavior. I'll open up a new question

0 Karma
Reply

dbcase
Motivator
‎05-25-2018 10:39 AM

whups forgot the other part. If there is a way to graph negative numbers I'd do that as well

0 Karma
Reply

niketn
Legend
‎05-25-2018 12:22 PM

@dbcase, while negative values can definitely be plotted on charts like column, bar, line or area, it is unclear what is the aggregation field against which you want to plot the negative rssids. You seem to have two rows in your screenshot. What is the key field for each row?

Try adding the following query to your existing search:

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773
|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"
|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"
|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid

Following is a run anywhere example for you to try out:

|  makeresults
|  eval sno=1, rssiid="-12,-32,-21,-45,-9"
|  append 
    [|  makeresults
    | eval sno=2, rssiid="-43,-53,-2,-22" ]
|  makemv rssiid delim=","
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...