Re: How to extract a field and chart it

venkat_d · ‎05-02-2014

Splunk newbie here.

Contents of my logfile are as follows:
2014-05-02 20:29:25 - FOOBAR_STAT:Q_COUNT=5
2014-05-02 20:29:26 - FOOBAR_STAT:Q_COUNT=1
2014-05-02 20:29:27 - FOOBAR_STAT:Q_COUNT=3
2014-05-02 20:29:28 - FOOBAR_STAT:Q_COUNT=0

I would like to extract the number after Q_COUNT and chart it.

I tried many options with timechart, count, ... not getting what i was looking for.
Hence, posting to this board.

lguinn2 · ‎05-04-2014

You can try this, but it may not work:

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| table _time qQcount

and then go to the Visualization tab and choose line chart. Also try

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart max(qCount) as TotalQCount span=1s

If Splunk can't handle the span=1s, you might need to set the span higher, like 1m, but using max(qCount) will continue to show the spikes instead of smoothing them.

lguinn2 · ‎05-02-2014

Try this

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart sum(qCount) as TotalQCount span=15m

or maybe

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart avg(qCount) as AvgQCount span=1h

You can play around with the span and the statistics, etc.

venkat_d · ‎05-02-2014

Thanks. However, my requirement is different and simple. I have values 5,1,3,0
I just want time on x-axis and count on y-axis and a simple line chart that shows spikes.

But, the splunk seems to group lines together - based on sum, avg and all other methods. So, all i am getting is a chart like value 5 was present 10 times, value 1 was present 22 times and so on.

How to extract a field and chart it

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?