I have a line being logged similar to
Foo_Thing=10.0 Foo_Thing2=12.2 Foo_OtherThing=34.5 Foo_YetAnotherThing2=43.3
What I want to do is create a chart of these values (possibly a pie chart) but so far I have not been able to get BOTH the value AND the label into the chart like I want.
I have tried lots of things, like
kvpairs, etc, etc... this is the closest I can come
sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 | chart max(perc) by ftype
Of course this charts each ftype by the max value of the perc, so 43.3 for all. I have attempted using the function
values, but this maps every value to every ftype, which is also not what I want. What can I do to capture the field name AND field value and have them paired up so charting makes sense?
While you may already have found a workable solution, I'd like to pick up on this search from your question:
sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 ( | chart removed)
Does this yield one event with two multivalue fields called ftype and perc? If so, you can turn that into forty events with singlevalue fields like this:
... | rex ... | eval temp = mvzip(ftype, perc, "=") | mvexpand temp | rex field=temp "^(?<ftype>[^=]+)=(?<perc>[^=]+)$" | chart max(perc) by ftype
The great thing about this is that you're not restricted to one event. You could throw a day's worth of events at this and run a timechart over that if you like.
well, you are the only one that can answer this, because you know what your expectations are and what makes sense to you or what does not.....
If you playing with values(), best thing to do is using it with
timechart this way you will get a nice chart based on
_time. If you want to use
chart you will have to decide if you want to show the max(), min(), avg(), first(), last() and so on...
Have a look at the docs on the functions for
stats, chart and timechart
hope this helps to get you started building the chart you need ...
I ended up sending everything to
| table Foo_* | transpose 40 and the visualization started working. I was under the assumption that the viz could only be generated by sending to some sort of charting function. I understand now why that was an incorrect assumption.