Construct multivariable histogram chart?

cool_pbenjamin · ‎02-02-2023

I have a search along these lines

"duration: "
| rex field=host "(?P<host_type>[my_magic_regex])"
| rex "duration: (?P<duration_seconds>[0-9]+)"
| chart count by duration_seconds host_type limit=0 span=1.0

This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly.
The lines have such a different scale that overlaying them on the same axis is worthless.

I need to either
1. create a different chart for each host_type (and not worry about the actual value of count)
2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever)

I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.

bowesmana · ‎02-02-2023

You could do trellis view with independent y-axis, but it depends on the number of variants you have as to whether it looks good or not.

Alternatively normalising all data can be done with

| chart count by duration_seconds host_type limit=0 span=1.0
| addtotals
| eval Total=Total-coalesce(tonumber(duration_seconds),0)
| foreach * [ eval "<<FIELD>>"=if("<<MATCHSTR>>"="duration_seconds" OR "<<MATCHSTR>>"="Total", '<<FIELD>>', '<<FIELD>>'/Total*100) ]
| fields - Total

it's a bit messy with doing just addtotals for all fields, as that adds all totals and presumably your duration_seconds is numeric, so it will get included in the total counts. If you know host_type values, you can use those instead to avoid the "if" in the foreach.

Construct multivariable histogram chart?

count

fields

stats

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting