Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to chart when using multiple matches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search which matches multiple values and produces two events as a list. I'd like to basically make it so that the values in eventA are the X axis, the values in eventB are the Y axis, and as more events are found they sum on eventB, grouped by their values in eventA.
I basically have rows in my log which look like: timestamp some text some text: [2s,189] [5s,23] [10s,13] [20s,3] [30s,0]
This is an example of the events my search is finding:
desiredBucket:
2s
5s
10s
20s
30s
desiredValue:
189
23
13
3
0
I can't get this to chart with the following X, Y pairings:
[2s, 189]
[5s, 23]
[10s, 13]
[20s, 3]
[30s, 0]
But instead, I'm getting things like this:
[2s, 228]
[5s, 228]
[10s, 228]
[20s, 228]
[30s, 228]
when I try to chart using chart sum(desiredValue) by desiredBucket
I understand why this is happening but I can't seem to find a way to get Splunk to identify my desired associations. Help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this works for me:
| gentimes start=-1
| eval aaa="[2s,189] [5s,23] [10s,13] [20s,3] [30s,0]"
| makemv delim=" " aaa
| mvexpand aaa
| rex field=aaa "\[(?<desiredBucket>.*),(?<desiredValue>.*)\]"
| chart sum(desiredValue) by desiredBucket
In other words, your chart command looks like it ought to work for you. Are you sure your values are properly associated with their buckets?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@aweitzman - your comment helped. Basically, I had to extract [2s,189] [5s,23] [10s,13] [20s,3] [30s,0] and then use makemv to get the charting to behave as I needed. Before, I was simply doing multiple matches from a single rex. Post that as an answer instead of a comment and I'll accept your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad I was able to help. Converted my comment to an answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this works for me:
| gentimes start=-1
| eval aaa="[2s,189] [5s,23] [10s,13] [20s,3] [30s,0]"
| makemv delim=" " aaa
| mvexpand aaa
| rex field=aaa "\[(?<desiredBucket>.*),(?<desiredValue>.*)\]"
| chart sum(desiredValue) by desiredBucket
In other words, your chart command looks like it ought to work for you. Are you sure your values are properly associated with their buckets?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
