- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Convert data to hex with tostring inside chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we manipulate data with functions in a chart.
I have a chart table obtained with :
| chart count over user by date_wday
The result is the following :
| user | monday | thuesday |
| user1 | 36 | 52 |
| user2 | 28 | 192 |
| user3 | 235 | 492 |
Now imagine that I want to convert the count field in hexadecimal with "tostring(count,"hex")".
How can I do ?
I already managed to do it with "foreach" statement but after that, I cannot use the Trellis view cause the chart command is not at the end of the search.
Thanks for yout help.
A.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="user monday thuesday
user1 36 52
user2 28 192
user3 235 492"
| multikv forceheader=1
| table user monday thuesday
| untable user date_wday count
| eval count=mvrange(0,count)
| mvexpand count
| rename COMMENT as "this is your original sample. first, try chart. from here, the logic"
| stats count by user date_wday
| eval count = tostring(count,"hex")
| xyseries user date_wday count
try stats() ,eval and xyseries
| makeresults
| eval _raw="user monday thuesday
user1 36 52
user2 28 192
user3 235 492"
| multikv forceheader=1
| table user monday thuesday
| untable user date_wday count
| eval count=mvrange(0,count)
| mvexpand count
| rename COMMENT as "this is your original sample. from here, the logic"
| chart count over user by date_wday
| rename user as _user
| foreach * [ eval <<FIELD>> = tostring(<<FIELD>>,"hex")]
| rename _user as userthis is chart and foreach version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="user monday thuesday
user1 36 52
user2 28 192
user3 235 492"
| multikv forceheader=1
| table user monday thuesday
| untable user date_wday count
| eval count=mvrange(0,count)
| mvexpand count
| rename COMMENT as "this is your original sample. first, try chart. from here, the logic"
| stats count by user date_wday
| eval count = tostring(count,"hex")
| xyseries user date_wday count
try stats() ,eval and xyseries
| makeresults
| eval _raw="user monday thuesday
user1 36 52
user2 28 192
user3 235 492"
| multikv forceheader=1
| table user monday thuesday
| untable user date_wday count
| eval count=mvrange(0,count)
| mvexpand count
| rename COMMENT as "this is your original sample. from here, the logic"
| chart count over user by date_wday
| rename user as _user
| foreach * [ eval <<FIELD>> = tostring(<<FIELD>>,"hex")]
| rename _user as userthis is chart and foreach version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The first solution (with stats, eval and xyseries) is working perfectly and is simpler.
I was not aware of the xyseries function.
For the second one, it is almost working as only the field "user" is available to trellis "splitBy" option ans this is not what I want.
But the first one is working, so thank you very much @to4kawa !
A.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I use foreach to convert the counts to hex the graph still displays the values in decimal. And, yes, trellis format doesn't display correctly as I only see one day for each user.
If this reply helps you, Karma would be appreciated.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
