Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Construct multivariable histogram chart?

cool_pbenjamin
New Member
‎02-02-2023 03:24 PM

I have a search along these lines

 

 

"duration: "
| rex field=host "(?P<host_type>[my_magic_regex])"
| rex "duration: (?P<duration_seconds>[0-9]+)"
| chart count by duration_seconds host_type limit=0 span=1.0

 

 

This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly. 
The lines have such a different scale that overlaying them on the same axis is worthless.

I need to either
1. create a different chart for each host_type (and not worry about the actual value of count)
2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever)

I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2023 04:55 PM

You could do trellis view with independent y-axis, but it depends on the number of variants you have as to whether it looks good or not.

Alternatively normalising all data can be done with 

| chart count by duration_seconds host_type limit=0 span=1.0
| addtotals
| eval Total=Total-coalesce(tonumber(duration_seconds),0)
| foreach * [ eval "<<FIELD>>"=if("<<MATCHSTR>>"="duration_seconds" OR "<<MATCHSTR>>"="Total", '<<FIELD>>', '<<FIELD>>'/Total*100) ]
| fields - Total

it's a bit messy with doing just addtotals for all fields, as that adds all totals and presumably your duration_seconds is numeric, so it will get included in the total counts. If you know host_type values, you can use those instead to avoid the "if" in the foreach.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...