- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display the result in a graph format wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following were some events :-
[30706/3663031152][Mon Sep 05 2016 03:55:01][CServer.efpp:4719][INFO][sm-Server-3444] Thread pool: Msgs=12345678 Waits=87654321 Misses=12348765 Max HP Msg=7 Max NP Msg=1643 Current Depth=0 Max Depth=1643 Current High Depth=0 Current Norm Depth=0 Current Threads=16 Max Threads=16 Busy Threads=14
[30706/3663031152][Mon Sep 05 2016 04:55:01][CServer.efpp:4719][INFO][sm-Server-3554] Thread pool: Msgs=32456789 Waits=67894563 Misses=12348765 Max HP Msg=7 Max NP Msg=1643 Current Depth=0 Max Depth=1643 Current High Depth=0 Current Norm Depth=0 Current Threads=16 Max Threads=16 Busy Threads=14
So now i want to display the result as x and y axis in such a way that timechart on y-axis and Msgs,Waits on x-axis based on their field values not count.
I had written half of the search as follows :-
source="x" host="b" index="v" sourcetype="z"| rex field=_raw "Msgs=(?[\n]+)" | rex field=_raw "Waits=(?[\n]+)" |
After extracting Msgs and Waits I am not sure how to continue the search.
For Example If the results are as follows :-
timechart field_1 field_2
2016-08-12 26 56
2016-09-23 23 234
Now from the above result I want to display a graph in which timechart on y-axis and field_1,field_2 on x-axis. So for 2016-08-12 the graph should be as field_2 line is greater than field_1 line since field_2 value is greater than field_1. like that the graph should go on.
Note :- I know how to write a search for count but here I was looking the result based on the field values which I am stuck at
Thanks in Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your explanation, it seems that you don't need time chart, because you are doing no aggregation on the extracted value.
You can use TABLE instead, just append TABLE with the fields you need, like this:
source="x" host="b" index="v" sourcetype="z"| rex field=_raw "Msgs=(?[\n]+)" | rex field=_raw "Waits=(?[\n]+)" |TABLE _time Msgs Waits
After that you choose "Visualization" to "Bar" chart.
Click on the "Format" and choose "Stack".
You will have "_time" as Y-axis, and values as length of line on the X-axis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your explanation, it seems that you don't need time chart, because you are doing no aggregation on the extracted value.
You can use TABLE instead, just append TABLE with the fields you need, like this:
source="x" host="b" index="v" sourcetype="z"| rex field=_raw "Msgs=(?[\n]+)" | rex field=_raw "Waits=(?[\n]+)" |TABLE _time Msgs Waits
After that you choose "Visualization" to "Bar" chart.
Click on the "Format" and choose "Stack".
You will have "_time" as Y-axis, and values as length of line on the X-axis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, a timechart always has time on the x-axis. Second, you can extract the values for waits and messages, but what statistic do you want to calculate per day (which is how you are showing your table) - average wait, total messages?? It is possible to show just the raw values - but this is problematic if you have multiple values within a timespan... Finally, do you want to report by day - or by hour or ...?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
