Solved: Re: Dual Histogram

motobeats · ‎11-11-2014

I am trying to create a histogram with two data sets that share the x-axis. I can do it for each data set but can not get the sets onto a common x-axis.

Example search for one histogram:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method1_time>\\d+)" |bucket method1_time span=100|           chart count by method1_time

How do I add method2_time to a unified x-axis?

motobeats · ‎06-25-2015

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name

View solution in original post

motobeats · ‎06-25-2015

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name

fourkidsco · ‎04-16-2015

I know this is an old question....would it be possible to get a few example events for each data set? I have an idea of how to do this, but need to see some events to make sure

motobeats · ‎06-25-2015

Sorry to take so long but here is an example of the events in the log. Haven't looked at this one in a while but would still like to be able to do this (two data sets on the same x-axis for a histogram)

2014-12-07 16:36:12,393 method1 - method time(ms) = 14714
2014-12-07 16:36:14,643 method2 - method time(ms) = 12652

Dual Histogram

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation