We've got an XML file that is being parsed correctly (and easily - just piped into xmlkv) but one of the fields is numeric and I'm darned if I can figure out how to get the timechart to show the actual value for this particular field over time - timechart seems to want statistical functions like max, average, etc. rather than just throw up the value for that field.
What I'm trying to do is pretty simple and would look like this:
source="foo.xml" | xmlkv | timechart valueOf(some_numeric_value)
FWIW, it looks like the extracted field knows it's a numeric value as there is an italic (n) behind the field name.
So xmlkv seems to be parsing all this just fine. What I am wanting is simply a chart that plots the value of "fbar" each time it appears. Since this will always be a numeric value, it should be possible to do, right?
By definition, the timechart command requires a function as its first argument. Why? Because Splunk cannot plot every possible time on the X-axis; it must aggregate the time into ranges. The function is required for the Y-axis so that Splunk knows how to aggregate the data points consistently with the time ranges (aka spans).
So if your field is named fbar, you have to choose some function that tells Splunk how to aggregate fbar for the timechart. You have lots of choices:
"But," you say, "the value of fbar is the same throughout the time intervals. Why can't I just say fbar?" Sorry, you can't. But if the value of fbar really is the same, you could use first(fbar).
The complete list of functions for timechart is here
BTW, this is true for all fields, not just fields that you extracted,,,