Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract a specific value and make a visualizat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract a specific value and make a visualization with time
I have regular traffic passing through my server. The server has the IP 10.41.6.222
My goal is to extract the Rate /sec passing through the server and to be able to see theRate /sec in a graph an having x asis showing time and y axis Rate /sec (extracted values).
-----------------------------------------------------------------------------------------------------------------------------------
Rate 0/sec : Bytes 9815772 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 402/sec : Bytes 9816135 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 139587/sec : Bytes 10004146 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 147636/sec : Bytes 10009645 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10358668 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10361672 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10364579 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10364667 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 49661/sec : Bytes 10371887 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 217793/sec : Bytes 10700517 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 353829/sec : Bytes 10944230 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 93689/sec : Bytes 10946290 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 82030/sec : Bytes 10950753 : from owa client to vs_owa with address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Giuseppe. Can you please explain line after line ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @john_snow00,
I try to explain:
<your_search> --- it's your search, e.g. index=your_index sourcetype=your_sourcetype ---
| rex "Rate\s+(?<Bytes>\d+)\/sec" --- Bytes field extraction ---
| eval MB=Bytes/1024/1024 --- change measure of Bytes field from bytes to MB ----
| timechart sum(MB) AS MB --- sum of the traffic foe time periods, it's possible to define this span period ---Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the explanation. The rate in seconds you see above are produced by Loadbalancer upon incoming TCP requests. The logs are later pushed to splunk for analysis.
I d'ont want to carry any futher calculation. I just want to extract the rate /sec from the raw and present it upon time (x-axis).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @john_snow00,
sorry, where is the timestamp?
if it isn't contained in the event, it's added by Splunk.
Anyway, you could run something like this:
<your_search>
| rex "Rate\s+(?<Bytes>\d+)\/sec"
| eval MB=Bytes/1024/1024
| timechart sum(MB) AS MBI also added the regex to extract the field, if you already have it, don't use my regex.
Ciao.
Giuseppe
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
