Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Graphing negative values OR converting the values to positive

dbcase
Motivator
‎05-25-2018 10:38 AM

Hi,

I'm trying to do a time chart of RSSI values (typically negative values). I have a query that extracts the values and puts them into a table (just for troubleshooting). I'm also trying to convert the values to positive using the abs function but it keeps coming up blank. I've checked using isstr to see if the values were a string and needed to be converted but the function returned no (it is not a string). Can't figure out what the heck is wrong here. Thoughts?

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|eval n=abs(rssiid)|table n rssiid

Resulting table. As you can see the rssiid comes across just fine but n (where I'm doing the eval/abs) is null
alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎05-25-2018 11:11 AM

Most eval functions doesn't work on multivalued fields, which your rssid field is. Also, you can't chart the multivalued field. So in order to apply the functions or charting, you'd expand your multivalued field as single value using mvexpand command. There is no special processing to chart the negative numbers.

Now if you've more than one, related multivalued fields, you'll concatenate them into single multivalued field using mvzip, expand it using mvexpand and then split it again, similar to what's being done in this post
http://www.bbosearch.com/commands/mvexpand
https://answers.splunk.com/answers/301140/how-can-i-use-the-eval-function-mvzip-with-8-attri.html

0 Karma
Reply

dbcase
Motivator
‎05-29-2018 08:30 AM

ah ok that helped, still getting some odd behavior. I'll open up a new question

0 Karma
Reply

dbcase
Motivator
‎05-25-2018 10:39 AM

whups forgot the other part. If there is a way to graph negative numbers I'd do that as well

0 Karma
Reply

niketn
Legend
‎05-25-2018 12:22 PM

@dbcase, while negative values can definitely be plotted on charts like column, bar, line or area, it is unclear what is the aggregation field against which you want to plot the negative rssids. You seem to have two rows in your screenshot. What is the key field for each row?

Try adding the following query to your existing search:

earliest=-4hr index="camera_status" sourcetype=access_combined_camerastatus 8773
|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"
|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"
|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid

Following is a run anywhere example for you to try out:

|  makeresults
|  eval sno=1, rssiid="-12,-32,-21,-45,-9"
|  append 
    [|  makeresults
    | eval sno=2, rssiid="-43,-53,-2,-22" ]
|  makemv rssiid delim=","
|  mvexpand rssiid
|  chart values(rssiid) by sno rssiid
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...