- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to chart with multiple hour fields from 0h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some performance data that is for the most part, fairly standard, such as SystemName, Metric (cpu, memory, whatever), counter type (percent, kbs, the unit basically), and then I have field 0h to 24h, which is the value on the hour.
I'd like to show, for example, the memory percent as a line chart, but I'm unsure how to tell Splunk to pull the data from the hour fields.
Sample Data:
Workload Name, Counter Name, Counter Metric,Rollup Type, 0h, 1h, 2h, 3h
SYSTEM1234, Read workload metric, number, max, 77, 141, 254, 190
this only shows hours 0 to 3, there are 24 of those fields.
So what i'd like to see is a line chart, where the X axis has the 0h, 1h, 2h all the way to 24h and the Y is retaliative to the values (in this case, 77-254)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type, 0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | table hour Metric value
OR
your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type, 0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | chart values(value) over hour by Metric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type, 0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | table hour Metric value
OR
your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type, 0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | chart values(value) over hour by Metric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its still a little weird (seems like there is duplicate data perhaps?) but i was able to get that working. thanks! I'll have to go read up on untable, it seems to be the real magic here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post a sample event and desired output ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
Your Base Search Here | eval _time=YourHourFieldHere | rex field=_time mode=sed "s/[hH]$//" | eval _time=_time * 60 * 60 | fieldformat _time = strftime(_time, "%H") | timechart span=1h avg(*) AS * BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I follow, where you have the YourHourFieldHere, that's one field, I have 24 fields related to time, h0, h1,h2 all the way to h24
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
