Splunk Search

How to chart a varying number of fields?

andrewjgriffin
Engager

I have message data similar to as follows, which is the count of active user processes on a host:

host=hostA user1:0 user3:12 user10:2 user2:0
host=hostB user1:1 user4:8
host=hostC user10:2 user21:3 user2:0 user4:0 user14:8 user15:0

The format of the user fields is always the same - "user name":"number of processes" - however, the number of users reported on each host is variable. Some hosts will only have a few, some have dozens. I'm trying to create a chart to count the number of processes per user, split by user, on a given host over time, and I'm stuck. I'm assuming I need to use the format option, but I can't get the fields to split like I need. This is what I've come up with, but it returns no results:

index=_dev host=hostB | chart format=$AGG$:$VAL$ max($VAL$) by $AGG$
Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id

View solution in original post

somesoni2
Revered Legend

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id

andrewjgriffin
Engager

This rex is getting me a table like I want to see:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | table user_id proc_count

But I can't get it to chart by user_id. If I try something like:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | timechart max(proc_count) by user_id

It treats all the values of proc_count as one and just returns the max of all

0 Karma

andrewjgriffin
Engager

That did it! with one slight change, I had to add _time for the timechart function to work:

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?\w+:\d+)"   | table temp _time | mvexpand temp |   rex field=temp "(?\w+):(?\d+)" | timechart max(proc_count) by user_id
0 Karma

somesoni2
Revered Legend

Try the updated answer.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...