Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I chart values without aggregation?

the_wolverine
Champion
‎03-22-2017 11:51 AM

I'm trying to chart values where there are multiple values per comparison_category. Splunk doesn't seem to like it unless I aggregate those values somehow. e.g. avg(*_field)

For example:

Vegetable, A_field, B_field, C_field
=============================
carrot,1,2,3
carrot,4,5,6
kale,7,8,9
kale,12,13,14
beet,2,3,5
beet,6,7,8

But this:

chart values(*_field) by Vegetable

doesn't seem to work.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-19-2020 04:12 PM

Here is a hack to cause values() to function like list() to escape the 100 limit:

| makeresults count=2000
| eval foo = random()
| rename COMMENT AS "Everything above generates sample event data"
| streamstats count AS _serial
| eval _serial=printf("%06d", _serial)
| eval TRAN = _serial . ":" . foo
| stats values(foo) AS listhackfoo list(foo) AS limitedfoo
| rex field=listhackfoo mode=sed "s/^\d+://"
| rex field=limitedfoo mode=sed "s/^\d+://"
| eventstats dc(listhackfoo) dc(limitedfoo)

You would need to use foreach * to cover all fields.

Reply

somesoni2
Revered Legend
‎03-22-2017 01:14 PM

So you're saying doing just ...base search | table Vegetable *_field doesn't give you a chart in visualization tab?

0 Karma
Reply

haph
Path Finder
‎02-19-2020 02:50 AM

Not if you want more complex visualization

0 Karma
Reply

woodcock
Esteemed Legend
‎03-22-2017 11:55 AM

It should be just this:

... | stats list(*) AS * BY Vegetable
0 Karma
Reply

to4kawa
Ultra Champion
‎02-19-2020 12:53 PM

Hi, @haph
Sample:

| makeresults 
| eval _raw="Tool_No      pressing_action     pressure
 14                 1                               650
 14                 2                               648
 14                 3                               655
 20                 1                               223
 20                 2                               221
 20                 3                               230
 19                 1                               479
 19                 2                               482
 19                 3                               488" 
| multikv forceheader=1 
| eval tmp=pressing_action.":".pressure 
| stats values(tmp) as tmp by Tool_No 
| mvexpand tmp 
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)" 
| fields - tmp

Recommend:

your_query
| eval tmp=pressing_action.":".pressure 
| stats values(tmp) as tmp by "Tool-No." 
| mvexpand tmp 
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)" 
| fields - tmp

pressing_action is order. so, stats values() is useful.

0 Karma
Reply

haph
Path Finder
‎02-19-2020 02:49 AM

But this would only show the first 100 values. What if I have more?

0 Karma
Reply

to4kawa
Ultra Champion
‎02-19-2020 03:49 AM

stats list() is limit 100 values by default.
what's your query?

0 Karma
Reply

haph
Path Finder
‎02-19-2020 04:39 AM

I have a use case where a production machine is monitored. The machine, a press, is pressing 80 times per minute, the pressure is measured by a sensor which sends data to splunk every 10-50 ms. On the machine various tools can be mounted.
I want to calculate the max pressure for each pressing action per tool, the result looks something like this:

Tool-No.      pressing_action     pressure
14                 1                               650
14                 2                               648
14                 3                               655
14                 [n]                             ....
20                 1                               223
20                 2                               221
20                 3                               230
20                 [n]                             ....
19                 1                               479
19                 2                               482
19                 3                               488
19                 [n]                             ....

Where [n] can be up to 50000.

And now I want to display every pressure from every tool over pressure_action. The visualization splitted by Tool-No. with trellis.
I know that I have to set some chart-options in the dashboard to display more than 10000 values.
It wouldn't matter to me, if a rolling average over pressure_action would be applied and therefore maybe 500-1000 values merged.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...