Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart a varying number of fields?

andrewjgriffin
Engager
‎09-02-2015 12:32 PM

I have message data similar to as follows, which is the count of active user processes on a host:

host=hostA user1:0 user3:12 user10:2 user2:0
host=hostB user1:1 user4:8
host=hostC user10:2 user21:3 user2:0 user4:0 user14:8 user15:0

The format of the user fields is always the same - "user name":"number of processes" - however, the number of users reported on each host is variable. Some hosts will only have a few, some have dozens. I'm trying to create a chart to count the number of processes per user, split by user, on a given host over time, and I'm stuck. I'm assuming I need to use the format option, but I can't get the fields to split like I need. This is what I've come up with, but it returns no results:

index=_dev host=hostB | chart format=$AGG$:$VAL$ max($VAL$) by $AGG$
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-02-2015 03:06 PM

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-02-2015 03:06 PM

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id
Reply
Solved! Jump to solution

andrewjgriffin
Engager
‎09-03-2015 11:30 AM

This rex is getting me a table like I want to see:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | table user_id proc_count

But I can't get it to chart by user_id. If I try something like:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | timechart max(proc_count) by user_id

It treats all the values of proc_count as one and just returns the max of all

0 Karma
Reply
Solved! Jump to solution

andrewjgriffin
Engager
‎09-03-2015 02:33 PM

That did it! with one slight change, I had to add _time for the timechart function to work:

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?\w+:\d+)"   | table temp _time | mvexpand temp |   rex field=temp "(?\w+):(?\d+)" | timechart max(proc_count) by user_id
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-03-2015 02:22 PM

Try the updated answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...