Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Construct multivariable histogram chart?

cool_pbenjamin
New Member
‎02-02-2023 03:24 PM

I have a search along these lines

 

 

"duration: "
| rex field=host "(?P<host_type>[my_magic_regex])"
| rex "duration: (?P<duration_seconds>[0-9]+)"
| chart count by duration_seconds host_type limit=0 span=1.0

 

 

This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly. 
The lines have such a different scale that overlaying them on the same axis is worthless.

I need to either
1. create a different chart for each host_type (and not worry about the actual value of count)
2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever)

I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2023 04:55 PM

You could do trellis view with independent y-axis, but it depends on the number of variants you have as to whether it looks good or not.

Alternatively normalising all data can be done with 

| chart count by duration_seconds host_type limit=0 span=1.0
| addtotals
| eval Total=Total-coalesce(tonumber(duration_seconds),0)
| foreach * [ eval "<<FIELD>>"=if("<<MATCHSTR>>"="duration_seconds" OR "<<MATCHSTR>>"="Total", '<<FIELD>>', '<<FIELD>>'/Total*100) ]
| fields - Total

it's a bit messy with doing just addtotals for all fields, as that adds all totals and presumably your duration_seconds is numeric, so it will get included in the total counts. If you know host_type values, you can use those instead to avoid the "if" in the foreach.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...