Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I edit my search to convert a string to a numeric value to display a graph?

Sr59
Explorer
‎02-22-2016 10:35 PM

Hi!

I'm indexing XML data containing free memory values and get a nice stats table, but not be able to show that as a graph because Splunk interprets memory values as strings.
My event example is attached.

I tried to convert string to numbers, but didn't succeed.

sourcetype=DCM_MEAS_XML | rename Measurement.lcp0_shp as lcp0_shp | eval num=if(isnum(lcp0_shp),"yes","no") |  eval str=if(isstr(lcp0_shp),"yes","no") | Convert num(lcp0_shp) as number | eval converted=if(isnum(number),"yes","no") | stats values(num) values(str) values(converted) values(number) by _time

This gave me following output:

_time                    values(num)   values(str   )values(converted)   values(number)
2016-02-22 19:41:28.359   no            yes        no                 2976716

Sample event:

alt text

splunk-xml.jpg
Preview file
41 KB
Reply

Sr59
Explorer
‎02-29-2016 02:12 AM

Hi!

I changed the file to json format and split it so that one file contains only measurements done in one time value (vs earlier several measurements in one file which was split to separated measurement events in sourcetype).

Now I'm able to draw a graph using search command:

source="Measurement_meminfo_20160225_132246_264_v2.json" host="ourdsplunk60.emea.nsn-net.net" sourcetype="_json" | rename Measurement{}.Time as mtime | stats last(Measurement{}.lcp0_shp) max(Measurement{}.lcp0_ahp0) max(Measurement{}.lsp0_k2a) max(Measurement{}.lsp0_k2c) max(Measurement{}.lsp0_axm0) max(Measurement{}.lsp0_k2b) by mtime

alt text

alt text

Maybe we need still improve the json file but anyway this is already working. Thanks for your help!

Regards,
Hannu

splunk-json.jpg
Preview file
75 KB
splunk-json-graph.jpg
Preview file
213 KB
0 Karma
Reply

fdi01
Motivator
‎02-23-2016 06:14 AM

try :

sourcetype=DCM_MEAS_XML | rename Measurement.lcp0_shp as lcp0_shp | eval num=if(isnum(lcp0_shp),"yes","no") | eval str=if(isstr(lcp0_shp),"yes","no") | Convert auto(lcp0_shp) as number | eval converted=if(isnum(number),"yes","no") | stats values(num) values(str) values(converted) values(number) by _time
0 Karma
Reply

Sr59
Explorer
‎02-29-2016 02:03 AM

Hi!

Yes I did but same result.

Regards,
Hannu

0 Karma
Reply

Sr59
Explorer
‎02-25-2016 09:56 PM

Hi!

Thanks for your answers. I tried the convert auto option as well but unfortunately it didn't help.

alt text

splunk-20160224.jpg
Preview file
98 KB
0 Karma
Reply

jplumsdaine22
Influencer
‎02-29-2016 01:40 AM

I notice you're running the search in Fast Mode - have you tried it in Smart Mode instead?

0 Karma
Reply

jplumsdaine22
Influencer
‎02-23-2016 02:54 AM

Can you confirm you get no visualisation for the following search?

sourcetype=DCM_MEAS_XML | timechart max(Measurement.lcp0_shp)

I tried to replicate your issue with the following search :

|gentimes start=-1 | fields - endhuman endtime starthuman | eval lcp0_shp="123456 " |  eval num=if(isnum(lcp0_shp),"yes","no") | eval str=if(isstr(lcp0_shp),"yes","no") | convert num(lcp0_shp) as number | eval converted=if(isnum(number),"yes","no") | stats values(num) values(str) values(converted) values(number) by starttime

but it looks perfectly fine:

starttime   values(num) values(str) values(converted)   values(number)
1456128000  no            yes                   yes     123456

Can you run my gentimes search as well to see if you get the same output?

Reply

Sr59
Explorer
‎02-26-2016 12:41 AM

Hi!

I suppose that my problem is that those measurements are not connected to _time which I have tried to use. I suppose I should use Time event and somehow combine measurements to measurement Time to be able to draw a graph. Do you have any proposal how to do it?

Regards,
Hannu

0 Karma
Reply

jplumsdaine22
Influencer
‎02-29-2016 02:16 AM

I am flummoxed. I can't see why you get no values.

Even a straight sourcetype=DCM_MEAS_XML | table _time Measurement.lcp0_shp should give you a visualisation. Any chance you can post raw data so we can try and replicate the issue?

0 Karma
Reply

Sr59
Explorer
‎02-29-2016 02:31 AM

Hi!

This looks still the same no visualisation. I found a workaround but it's not yet visible here.

Regards,
Hannu

0 Karma
Reply

Sr59
Explorer
‎02-23-2016 04:05 AM

Hi!

 sourcetype=DCM_MEAS_XML | chart  _time Measurement.lcp0_shp

gave me an error message 🙂

but your gentimes search gave exactly same result than for you.

sourcetype=DCM_MEAS_XML | chart values(Measurement.lcp0_shp) by _time

search didn't give any visualization for me. Please see the attachment.
alt text

0 Karma
Reply

jplumsdaine22
Influencer
‎02-24-2016 06:40 AM

Sorry I typod the first search. That should have been a timechart max() can you try it again?

0 Karma
Reply

Sr59
Explorer
‎02-25-2016 10:14 PM

Hi!

Unfortunately neither this didn't solve my problem.

Regards,
Hannu

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top