Construct multivariable histogram chart?

cool_pbenjamin · ‎02-02-2023

I have a search along these lines

"duration: "
| rex field=host "(?P<host_type>[my_magic_regex])"
| rex "duration: (?P<duration_seconds>[0-9]+)"
| chart count by duration_seconds host_type limit=0 span=1.0

This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly.
The lines have such a different scale that overlaying them on the same axis is worthless.

I need to either
1. create a different chart for each host_type (and not worry about the actual value of count)
2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever)

I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.

bowesmana · ‎02-02-2023

You could do trellis view with independent y-axis, but it depends on the number of variants you have as to whether it looks good or not.

Alternatively normalising all data can be done with

| chart count by duration_seconds host_type limit=0 span=1.0
| addtotals
| eval Total=Total-coalesce(tonumber(duration_seconds),0)
| foreach * [ eval "<<FIELD>>"=if("<<MATCHSTR>>"="duration_seconds" OR "<<MATCHSTR>>"="Total", '<<FIELD>>', '<<FIELD>>'/Total*100) ]
| fields - Total

it's a bit messy with doing just addtotals for all fields, as that adds all totals and presumably your duration_seconds is numeric, so it will get included in the total counts. If you know host_type values, you can use those instead to avoid the "if" in the foreach.

Construct multivariable histogram chart?

count

fields

stats

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk