Splunk Search

Chart values extracted from search

Path Finder

Hi, I have created a saved search that removes all text but the value I want to chart, ie. host="machine" "uniquesearchtext" | rex mode=sed "s/.blah //1" | rex mode=sed "s/ stuff.//1". I am left with a single number for each time entry. How do I now simply bar chart these numbers over time? I don't see a quick answer in the timechart documentation.

Thanks!

0 Karma
1 Solution

Builder

Pipe your search in to the timechart function, example:

host="machine" "uniquesearchtext" | rex mode=sed "s/.blah //1" | rex mode=sed "s/ stuff.//1" | timechart span="how big of bucket, example, 1m for 1 min" sum("name of field to add the number up for") as "column name"

View solution in original post

0 Karma

Builder

Pipe your search in to the timechart function, example:

host="machine" "uniquesearchtext" | rex mode=sed "s/.blah //1" | rex mode=sed "s/ stuff.//1" | timechart span="how big of bucket, example, 1m for 1 min" sum("name of field to add the number up for") as "column name"

View solution in original post

0 Karma

Path Finder

Ah, perfect. That was what I needed (_raw). Right, I want them to use the timestamp from the event. I am surprised this isn't an example in the documentation seems normal for any custom log to remove everything but the item you want to chart. Then again, maybe everyone defines fields on input so they don't need to do this. I prefer the front-end manipulation then the back-end especially for things that may change. Anyhow, thank you.

0 Karma

Builder

on another note, if you don't want to "group" time, and just want the event to use the timestamp from the event, your search would end in: "chart sum(_raw) as "Blah" by _time". If for some reason you have events that occur on the same second, and the sum(_raw) won't work for you, you can also use xyseries. |xyseries 1stColumn 2ndColumn-name 2ndColumn-Data. Try xyseries _time host _raw. Might work for ya.

0 Karma

Builder

If you are using rex to strip out all words and only leave the number, then you can use the _raw field in your search: timechart span="1d" sum(_raw) as "Blah"

0 Karma

Builder

I really need to see what your event looks like, in order to "chart" something, you need an x and a y value. Using the timechart command we are telling splunk your x value is the "time" and the Y value is a "field". Splunk assumes there are going to be multiple events during a block of time, so you have to specify how to handle it. The sum of a field, when it is the only event, only duplicates the value. If there were 2 events during a 24hr period, it'd add them together. "timechart span="1d"" tells the x axis to be grouped in 1 day increments. You just need your number stored in a field

0 Karma

Path Finder

I tried " timechart span="24hr" sum("field") as "field" " and the column named field is blank. If I remove the timechart, I have the values in the events. I am expecting the values once every 24hrs. No need to sum anything, I just want the raw values charted. Where am I defining "field" or is that supposed to read stdin?

0 Karma