Splunk Search

Dual Histogram

motobeats
Path Finder

I am trying to create a histogram with two data sets that share the x-axis. I can do it for each data set but can not get the sets onto a common x-axis.

Example search for one histogram:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method1_time>\\d+)" |bucket method1_time span=100|           chart count by method1_time

How do I add method2_time to a unified x-axis?

Tags (2)
0 Karma
1 Solution

motobeats
Path Finder

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name

View solution in original post

0 Karma

motobeats
Path Finder

Got the answer from fourkidsco

 I'm going to give this one a shot in  the absence of any data examples...which means it may not work. I am assuming that the method2_time is extracted from the same events as method1_time? (This was unclear) If method1_time and method2_time are extracted from the same events, I would suggest extracting 2 things here instead of one: rather than extract the time to "method1_time" and "method2_time", just extract it to "method_time".  Add another extraction to get the "method_type" (type 1 or type 2). Now do the following:  ...| chart count over method_time span=100 by method_type That should give you a single histogram with 2 bars per bucket, one each for type 1 and type 2. This may not work if the data is substantially different from what I had assumed it was.

This worked well for me. Query I used was:

source=*logs* earliest="10/13/2014:00:00:00" | rex "(?i)method.*=\s(?P<method_time>\\d+)" |search method_time=*|rex "(?i)java.class.signature*-\s(?P<method_name>\w+)\("|search method_name=get*|bucket method_time span=100|chart count over method_time by method_name
0 Karma

fourkidsco
Explorer

I know this is an old question....would it be possible to get a few example events for each data set? I have an idea of how to do this, but need to see some events to make sure

0 Karma

motobeats
Path Finder

Sorry to take so long but here is an example of the events in the log. Haven't looked at this one in a while but would still like to be able to do this (two data sets on the same x-axis for a histogram)

2014-12-07 16:36:12,393 method1 - method time(ms) = 14714
2014-12-07 16:36:14,643 method2 - method time(ms) = 12652

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...