Splunk Search

Dual Histogram

motobeats
Path Finder

I am trying to create a histogram with two data sets that share the x-axis. I can do it for each data set but can not get the sets onto a common x-axis.

Example search for one histogram:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method1_time>\\d+)" |bucket method1_time span=100|           chart count by method1_time

How do I add method2_time to a unified x-axis?

Tags (2)
0 Karma
1 Solution

motobeats
Path Finder

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name

View solution in original post

0 Karma

motobeats
Path Finder

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name
0 Karma

fourkidsco
Explorer

I know this is an old question....would it be possible to get a few example events for each data set? I have an idea of how to do this, but need to see some events to make sure

0 Karma

motobeats
Path Finder

Sorry to take so long but here is an example of the events in the log. Haven't looked at this one in a while but would still like to be able to do this (two data sets on the same x-axis for a histogram)

2014-12-07 16:36:12,393 method1 - method time(ms) = 14714
2014-12-07 16:36:14,643 method2 - method time(ms) = 12652

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...