Hello Guys,
I am new to Splunk so please bear with me. I am having an issue and couldn't find any resolution yet. I have log file that looks like below.
Note: many lines logged at the same
54
92
30
39
99
71
42
94
1
6
21
I am using the below search query.
index=number| timechart span=5m list(Random)
It is showing the results and Statistics is showing the multiple numbers at the exact time like below
2015-03-18 15:55:00
47
45
32
But visualization graph is not showing these numbers , if I use max(Random) then it chooses the max number from the 3 above and shows in the Visualization graph. Is there any way I can see all these 3 numbers in one bar graph line with different colors?
Is it possible?
Thanks in advance.
Hi,sohnaeo,
You will use the the mvexpand command because you have in your data the multivalues fields
Here is the good query to visualize all Random Values: index=numbers| timechart span=5m list(Random) |mvexpand list(Random)
or
with min(Random) and max(Random) : index=numbers| timechart span=5m max(Random) min(Random) list(Random) |mvexpand list(Random)
Hi,sohnaeo,
You will use the the mvexpand command because you have in your data the multivalues fields
Here is the good query to visualize all Random Values: index=numbers| timechart span=5m list(Random) |mvexpand list(Random)
or
with min(Random) and max(Random) : index=numbers| timechart span=5m max(Random) min(Random) list(Random) |mvexpand list(Random)
You are a legend mate, thanks a lot exactly thats what I wanted.
Hi,
The query like follow show me the min and max Random of each date
index=numbers| timechart span=5m max(Random) min(Random)
Thanks ngatchasandra for looking at my issue. Yes , the query you provided show the min and max Random but I would like to show all values regardless of the min and max
index=numbers| timechart span=5m list(Random)
The above query shows all the Random of each date but it is not appearing under the Visualization, the Visualization just get confused what value I need to take to show on the graph.
Please see the below screenshot of my Splunk search, for example 2015-03-18 15:55:00 ,you would see list(Random) on the bottom of the page
2015-03-18 15:55:00 47
45
32
You would see multiple values like above (47,45,32) but graph is empty for these values, I am interested to get these numbers in the visualization. I hope it clears my requirement.
Try to see again your screenshot link. I have not get it.
Thanks Guys for the prompt replies but accept my apology I couldnt explain the prioblem properly.
The "count by Random" is showing the occurences of the numbers like the below format
_time 16 17 21 3 37 55 73 76 85 90 OTHER
2015-03-18 15:55:00 0 0 0 0 0 0 0 0 0 0 3
I don't want this, in fact I want to visualization these numbers themselves 16,17,21,3
I do have the statistics like below
2015-03-18 15:55:00 47
45
32
2015-03-18 16:00:00 87
2015-03-18 16:05:00 7
72
81
47
76
2015-03-18 16:10:00 74
24
2015-03-18 16:15:00 37
2015-03-18 16:20:00 45
You can see sometime there are multiple numbers against the date and I cant find a way to visualize all these numbers in graph
For example,
2015-03-18 16:10:00 74
24
If I choose max(Random) then it chooses the maximum number 74 , if I choose min(Random) it choose 24 but I cant find a way to get both numbers in the visualization.
I have also attached the screenshot , it may help you guys to understand that.In the screenshot you can see that visualization has picked only 87 numbers and rest of the graph is blank becuase it got multiple values and graph somehow dont show these.
Thank you very much
Hi, sohnaeo
Your request is not good to give you all tree numbers in in one bar graph line with different color.
I created small csv file with your data. The list() fonction can't allow you to see this visualization. The request that follow will help you :
index=number| timechart span=5m count by Random
I am working in 6.2 and when and run this request it show me in automatically visualization what you want .
Hi sohnaeo
the graph is not showing these numbers because timechart function have Required arguments: either single-agg or an eval-expression.
In your case, to get those number you must use an eval-expression (eval, sum; avg ...) after span=5m.
For example you can do this:
index=number| timechart span=5m count by Random
You'll got all results on your graph.