Splunk Search

Can I chart values without aggregation?

the_wolverine
Champion

I'm trying to chart values where there are multiple values per comparison_category. Splunk doesn't seem to like it unless I aggregate those values somehow. e.g. avg(*_field)

For example:

Vegetable, A_field, B_field, C_field
=============================
carrot,1,2,3
carrot,4,5,6
kale,7,8,9
kale,12,13,14
beet,2,3,5
beet,6,7,8

But this:

chart values(*_field) by Vegetable

doesn't seem to work.

0 Karma

woodcock
Esteemed Legend

Here is a hack to cause values() to function like list() to escape the 100 limit:

| makeresults count=2000
| eval foo = random()
| rename COMMENT AS "Everything above generates sample event data"
| streamstats count AS _serial
| eval _serial=printf("%06d", _serial)
| eval TRAN = _serial . ":" . foo
| stats values(foo) AS listhackfoo list(foo) AS limitedfoo
| rex field=listhackfoo mode=sed "s/^\d+://"
| rex field=limitedfoo mode=sed "s/^\d+://"
| eventstats dc(listhackfoo) dc(limitedfoo)

You would need to use foreach * to cover all fields.

somesoni2
Revered Legend

So you're saying doing just ...base search | table Vegetable *_field doesn't give you a chart in visualization tab?

0 Karma

haph
Path Finder

Not if you want more complex visualization

0 Karma

woodcock
Esteemed Legend

It should be just this:

... | stats list(*) AS * BY Vegetable
0 Karma

to4kawa
Ultra Champion

Hi, @haph
Sample:

| makeresults 
| eval _raw="Tool_No      pressing_action     pressure
 14                 1                               650
 14                 2                               648
 14                 3                               655
 20                 1                               223
 20                 2                               221
 20                 3                               230
 19                 1                               479
 19                 2                               482
 19                 3                               488" 
| multikv forceheader=1 
| eval tmp=pressing_action.":".pressure 
| stats values(tmp) as tmp by Tool_No 
| mvexpand tmp 
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)" 
| fields - tmp

Recommend:

your_query
| eval tmp=pressing_action.":".pressure 
| stats values(tmp) as tmp by "Tool-No." 
| mvexpand tmp 
| rex field=tmp "(?<pressing_action>.*):(?<pressure>.*)" 
| fields - tmp

pressing_action is order. so, stats values() is useful.

0 Karma

haph
Path Finder

But this would only show the first 100 values. What if I have more?

0 Karma

to4kawa
Ultra Champion

stats list() is limit 100 values by default.
what's your query?

0 Karma

haph
Path Finder

I have a use case where a production machine is monitored. The machine, a press, is pressing 80 times per minute, the pressure is measured by a sensor which sends data to splunk every 10-50 ms. On the machine various tools can be mounted.
I want to calculate the max pressure for each pressing action per tool, the result looks something like this:

Tool-No.      pressing_action     pressure
14                 1                               650
14                 2                               648
14                 3                               655
14                 [n]                             ....
20                 1                               223
20                 2                               221
20                 3                               230
20                 [n]                             ....
19                 1                               479
19                 2                               482
19                 3                               488
19                 [n]                             ....

Where [n] can be up to 50000.

And now I want to display every pressure from every tool over pressure_action. The visualization splitted by Tool-No. with trellis.
I know that I have to set some chart-options in the dashboard to display more than 10000 values.
It wouldn't matter to me, if a rolling average over pressure_action would be applied and therefore maybe 500-1000 values merged.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...