Splunk Search

How to edit my search to graph a list of values with different colored bars or lines?

sohnaeo
New Member

Hello Guys,

I am new to Splunk so please bear with me. I am having an issue and couldn't find any resolution yet. I have log file that looks like below.

Note: many lines logged at the same

54
92
30
39
99
71
42
94
1
6
21

I am using the below search query.

index=number| timechart span=5m list(Random)

It is showing the results and Statistics is showing the multiple numbers at the exact time like below

2015-03-18 15:55:00
47
45
32

But visualization graph is not showing these numbers , if I use max(Random) then it chooses the max number from the 3 above and shows in the Visualization graph. Is there any way I can see all these 3 numbers in one bar graph line with different colors?

Is it possible?

Thanks in advance.

0 Karma
1 Solution

ngatchasandra
Builder

Hi,sohnaeo,
You will use the the mvexpand command because you have in your data the multivalues fields
Here is the good query to visualize all Random Values: index=numbers| timechart span=5m list(Random) |mvexpand list(Random) or
with min(Random) and max(Random) : index=numbers| timechart span=5m max(Random) min(Random) list(Random) |mvexpand list(Random)

View solution in original post

ngatchasandra
Builder

Hi,sohnaeo,
You will use the the mvexpand command because you have in your data the multivalues fields
Here is the good query to visualize all Random Values: index=numbers| timechart span=5m list(Random) |mvexpand list(Random) or
with min(Random) and max(Random) : index=numbers| timechart span=5m max(Random) min(Random) list(Random) |mvexpand list(Random)

sohnaeo
New Member

You are a legend mate, thanks a lot exactly thats what I wanted.

0 Karma

ngatchasandra
Builder

Hi,

The query like follow show me the min and max Random of each date

index=numbers| timechart span=5m max(Random) min(Random)
0 Karma

sohnaeo
New Member

Thanks ngatchasandra for looking at my issue. Yes , the query you provided show the min and max Random but I would like to show all values regardless of the min and max

index=numbers| timechart span=5m list(Random)

The above query shows all the Random of each date but it is not appearing under the Visualization, the Visualization just get confused what value I need to take to show on the graph.

Please see the below screenshot of my Splunk search, for example 2015-03-18 15:55:00 ,you would see list(Random) on the bottom of the page

2015-03-18 15:55:00 47
45
32

You would see multiple values like above (47,45,32) but graph is empty for these values, I am interested to get these numbers in the visualization. I hope it clears my requirement.

URL: http://postimg.org/image/oek69n81v/

0 Karma

ngatchasandra
Builder

Try to see again your screenshot link. I have not get it.

0 Karma

sohnaeo
New Member

Thanks Guys for the prompt replies but accept my apology I couldnt explain the prioblem properly.

The "count by Random" is showing the occurences of the numbers like the below format

_time 16 17 21 3 37 55 73 76 85 90 OTHER
2015-03-18 15:55:00 0 0 0 0 0 0 0 0 0 0 3

I don't want this, in fact I want to visualization these numbers themselves 16,17,21,3

I do have the statistics like below

2015-03-18 15:55:00 47
45
32
2015-03-18 16:00:00 87
2015-03-18 16:05:00 7
72
81
47
76
2015-03-18 16:10:00 74
24
2015-03-18 16:15:00 37
2015-03-18 16:20:00 45

You can see sometime there are multiple numbers against the date and I cant find a way to visualize all these numbers in graph

For example,

2015-03-18 16:10:00 74
24

If I choose max(Random) then it chooses the maximum number 74 , if I choose min(Random) it choose 24 but I cant find a way to get both numbers in the visualization.

I have also attached the screenshot , it may help you guys to understand that.In the screenshot you can see that visualization has picked only 87 numbers and rest of the graph is blank becuase it got multiple values and graph somehow dont show these.

Thank you very much

0 Karma

ngatchasandra
Builder

Hi, sohnaeo
Your request is not good to give you all tree numbers in in one bar graph line with different color.

I created small csv file with your data. The list() fonction can't allow you to see this visualization. The request that follow will help you :

index=number| timechart span=5m count by Random

I am working in 6.2 and when and run this request it show me in automatically visualization what you want .

0 Karma

NOUMSSI
Builder

Hi sohnaeo

the graph is not showing these numbers because timechart function have Required arguments: either single-agg or an eval-expression.
In your case, to get those number you must use an eval-expression (eval, sum; avg ...) after span=5m.

For example you can do this:

index=number| timechart span=5m count by Random

You'll got all results on your graph.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...