I'm trying to chart values where there are multiple values per comparison_category. Splunk doesn't seem to like it unless I aggregate those values somehow. e.g. avg(*_field)
For example:
Vegetable, A_field, B_field, C_field
=============================
carrot,1,2,3
carrot,4,5,6
kale,7,8,9
kale,12,13,14
beet,2,3,5
beet,6,7,8
But this:
chart values(*_field) by Vegetable
doesn't seem to work.
Here is a hack to cause values()
to function like list()
to escape the 100
limit:
| makeresults count=2000
| eval foo = random()
| rename COMMENT AS "Everything above generates sample event data"
| streamstats count AS _serial
| eval _serial=printf("%06d", _serial)
| eval TRAN = _serial . ":" . foo
| stats values(foo) AS listhackfoo list(foo) AS limitedfoo
| rex field=listhackfoo mode=sed "s/^\d+://"
| rex field=limitedfoo mode=sed "s/^\d+://"
| eventstats dc(listhackfoo) dc(limitedfoo)
You would need to use foreach *
to cover all fields.
So you're saying doing just ...base search | table Vegetable *_field
doesn't give you a chart in visualization tab?
Not if you want more complex visualization
It should be just this:
... | stats list(*) AS * BY Vegetable
Hi, @haph
Sample:
| makeresults
| eval _raw="Tool_No pressing_action pressure
14 1 650
14 2 648
14 3 655
20 1 223
20 2 221
20 3 230
19 1 479
19 2 482
19 3 488"
| multikv forceheader=1
| eval tmp=pressing_action.":".pressure
| stats values(tmp) as tmp by Tool_No
| mvexpand tmp
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)"
| fields - tmp
Recommend:
your_query
| eval tmp=pressing_action.":".pressure
| stats values(tmp) as tmp by "Tool-No."
| mvexpand tmp
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)"
| fields - tmp
pressing_action is order. so, stats values()
is useful.
But this would only show the first 100 values. What if I have more?
stats list()
is limit 100 values by default.
what's your query?
I have a use case where a production machine is monitored. The machine, a press, is pressing 80 times per minute, the pressure is measured by a sensor which sends data to splunk every 10-50 ms. On the machine various tools can be mounted.
I want to calculate the max pressure for each pressing action per tool, the result looks something like this:
Tool-No. pressing_action pressure
14 1 650
14 2 648
14 3 655
14 [n] ....
20 1 223
20 2 221
20 3 230
20 [n] ....
19 1 479
19 2 482
19 3 488
19 [n] ....
Where [n] can be up to 50000.
And now I want to display every pressure from every tool over pressure_action. The visualization splitted by Tool-No. with trellis.
I know that I have to set some chart-options in the dashboard to display more than 10000 values.
It wouldn't matter to me, if a rolling average over pressure_action would be applied and therefore maybe 500-1000 values merged.