Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Getting a chart out of timechart

teichhorn
New Member
‎10-01-2012 03:17 AM

Hi,

I have a set of log data which are sent to the splunk, they contain some temperature date of some sensors - to get some nice list I used the following search:

source="envmon" | timechart list(bathtemp) list(balconytemp) list(kitchentemp) list(livingtemp) list(officetemp) list(sleepingtemp) cont=f

That works very well and gives me the following output:

alt text

But when switching to chart, the chart itself looks like this:

alt text

I believe I overlook something very obvious to get a nice line chart over time,
and I hope someone here has some clue for me...

Thanks,
Tom

Tags (2)
0 Karma
Reply

Ayn
Legend
‎10-01-2012 04:29 AM

list produces a list for a certain field. If there are multiple values in that list, timechart would have no way of knowing what to do with that, so it doesn't make sense for timechart to accept values from a list.

What is the reason for using list, and in what cases does it produce multiple results? If I were to go about this I would want two fields (apart from the timestamp): one for the temperature, and one for the location. In an example, let's call them temperature and location.

Now, some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 temperature readings from a certain sensor occurring in the index within 1 minute. Splunk needs to know how to give you ONE value for "temperature", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg:

... | timechart span=1m avg(temperature) as Temperature

Or, if you only want the values from the first of the events within the time period, use first instead of avg. Want the sum? Use sum. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

To make it do this split by location, just add a by directive at the end of the timechart command:

... | timechart span=1m avg(temperature) as Temperature by location
Reply

Ayn
Legend
‎10-01-2012 04:39 AM

Ok, so instead of splitting by a general time field, just do

... | timechart avg(bathtemp),avg(balconytemp) ...

You could also just use table if you want:

... | table _time bathtemp balconytemp ...

Both these should produce output that is consumable by the chart module.

Reply

teichhorn
New Member
‎10-01-2012 04:35 AM

Well, the problem is that location is not a field itself, but the field name - the input looks like: bathtemp="19,9";balconytemp="21,8";livingtemp="20,5";sleepingtemp="20,4";kitchentemp="20,4";officetemp="21,1";bathhydro="54";balconyhydro="54";livinghydro="52";sleepinghydro="57";kitchenhydro="54";officehydro="50"

Maybe I'm just a little bit stuck with some concept of splunk..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...