Splunk Search

How to display the result in a graph format with timechart as y-axis and field_1, field_2 on x-axis?

Builder

The following were some events :-

[30706/3663031152][Mon Sep 05 2016 03:55:01][CServer.efpp:4719][INFO][sm-Server-3444] Thread pool: Msgs=12345678 Waits=87654321 Misses=12348765 Max HP Msg=7 Max NP Msg=1643 Current Depth=0 Max Depth=1643 Current High Depth=0 Current Norm Depth=0 Current Threads=16 Max Threads=16 Busy Threads=14

[30706/3663031152][Mon Sep 05 2016 04:55:01][CServer.efpp:4719][INFO][sm-Server-3554] Thread pool: Msgs=32456789 Waits=67894563 Misses=12348765 Max HP Msg=7 Max NP Msg=1643 Current Depth=0 Max Depth=1643 Current High Depth=0 Current Norm Depth=0 Current Threads=16 Max Threads=16 Busy Threads=14

So now i want to display the result as x and y axis in such a way that timechart on y-axis and Msgs,Waits on x-axis based on their field values not count.

I had written half of the search as follows :-

source="x" host="b" index="v" sourcetype="z"| rex field=raw "Msgs=(?[\n]+)" | rex field=raw "Waits=(?[\n]+)" |

After extracting Msgs and Waits I am not sure how to continue the search.

For Example If the results are as follows :-
timechart field1 field2
2016-08-12 26 56
2016-09-23 23 234

Now from the above result I want to display a graph in which timechart on y-axis and field1,field2 on x-axis. So for 2016-08-12 the graph should be as field2 line is greater than field1 line since field2 value is greater than field1. like that the graph should go on.

Note :- I know how to write a search for count but here I was looking the result based on the field values which I am stuck at

Thanks in Advance

0 Karma
1 Solution

Path Finder

Based on your explanation, it seems that you don't need time chart, because you are doing no aggregation on the extracted value.
You can use TABLE instead, just append TABLE with the fields you need, like this:

source="x" host="b" index="v" sourcetype="z"| rex field=raw "Msgs=(?[\n]+)" | rex field=raw "Waits=(?[\n]+)" |TABLE _time Msgs Waits

After that you choose "Visualization" to "Bar" chart.
Click on the "Format" and choose "Stack".
You will have "_time" as Y-axis, and values as length of line on the X-axis

View solution in original post

0 Karma

Path Finder

Based on your explanation, it seems that you don't need time chart, because you are doing no aggregation on the extracted value.
You can use TABLE instead, just append TABLE with the fields you need, like this:

source="x" host="b" index="v" sourcetype="z"| rex field=raw "Msgs=(?[\n]+)" | rex field=raw "Waits=(?[\n]+)" |TABLE _time Msgs Waits

After that you choose "Visualization" to "Bar" chart.
Click on the "Format" and choose "Stack".
You will have "_time" as Y-axis, and values as length of line on the X-axis

View solution in original post

0 Karma

Legend

First, a timechart always has time on the x-axis. Second, you can extract the values for waits and messages, but what statistic do you want to calculate per day (which is how you are showing your table) - average wait, total messages?? It is possible to show just the raw values - but this is problematic if you have multiple values within a timespan... Finally, do you want to report by day - or by hour or ...?

0 Karma