Splunk Search

Extract fields with names like "Foo_" with values

sberry2a
Engager

I have a line being logged similar to

Foo_Thing=10.0 Foo_Thing2=12.2 Foo_OtherThing=34.5 Foo_YetAnotherThing2=43.3

What I want to do is create a chart of these values (possibly a pie chart) but so far I have not been able to get BOTH the value AND the label into the chart like I want.

I have tried lots of things, like extract, kvpairs, etc, etc... this is the closest I can come

sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 | chart max(perc) by ftype

Of course this charts each ftype by the max value of the perc, so 43.3 for all. I have attempted using the function values, but this maps every value to every ftype, which is also not what I want. What can I do to capture the field name AND field value and have them paired up so charting makes sense?

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

While you may already have found a workable solution, I'd like to pick up on this search from your question:

sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 ( | chart removed)

Does this yield one event with two multivalue fields called ftype and perc? If so, you can turn that into forty events with singlevalue fields like this:

... | rex ... | eval temp = mvzip(ftype, perc, "=") | mvexpand temp | rex field=temp "^(?<ftype>[^=]+)=(?<perc>[^=]+)$" | chart max(perc) by ftype

The great thing about this is that you're not restricted to one event. You could throw a day's worth of events at this and run a timechart over that if you like.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi sberry2a,

well, you are the only one that can answer this, because you know what your expectations are and what makes sense to you or what does not.....

If you playing with values(), best thing to do is using it with timechart this way you will get a nice chart based on _time. If you want to use stats or chart you will have to decide if you want to show the max(), min(), avg(), first(), last() and so on...

Have a look at the docs on the functions for stats, chart and timechart

hope this helps to get you started building the chart you need ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

thats's nice 🙂

0 Karma

sberry2a
Engager

I ended up sending everything to | table Foo_* | transpose 40 and the visualization started working. I was under the assumption that the viz could only be generated by sending to some sort of charting function. I understand now why that was an incorrect assumption.

0 Karma