Splunk Search

How do I display value of extracted numeric field in a timechart?

Path Finder

We've got an XML file that is being parsed correctly (and easily - just piped into xmlkv) but one of the fields is numeric and I'm darned if I can figure out how to get the timechart to show the actual value for this particular field over time - timechart seems to want statistical functions like max, average, etc. rather than just throw up the value for that field.

What I'm trying to do is pretty simple and would look like this:
source="foo.xml" | xmlkv | timechart valueOf(some_numeric_value)

FWIW, it looks like the extracted field knows it's a numeric value as there is an italic (n) behind the field name.

Tags (3)
0 Karma

Path Finder

Ah, perhaps I didn't make things clear. The file looks something like this:

<when>Wed Aug 17 17:11:54 +0000 2011</when>
<when>Wed Aug 17 19:32:26 +0000 2011</when>

So xmlkv seems to be parsing all this just fine. What I am wanting is simply a chart that plots the value of "fbar" each time it appears. Since this will always be a numeric value, it should be possible to do, right?

0 Karma


By definition, the timechart command requires a function as its first argument. Why? Because Splunk cannot plot every possible time on the X-axis; it must aggregate the time into ranges. The function is required for the Y-axis so that Splunk knows how to aggregate the data points consistently with the time ranges (aka spans).

So if your field is named fbar, you have to choose some function that tells Splunk how to aggregate fbar for the timechart. You have lots of choices:

timechart avg(fbar)
timechart max(fbar)
timechart sum(fbar)
timechart first(fbar)

"But," you say, "the value of fbar is the same throughout the time intervals. Why can't I just say fbar?" Sorry, you can't. But if the value of fbar really is the same, you could use first(fbar).

The complete list of functions for timechart is here

BTW, this is true for all fields, not just fields that you extracted,,,

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!