Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a field and chart it

venkat_d
New Member
‎05-02-2014 06:06 PM

Splunk newbie here.

Contents of my logfile are as follows:
2014-05-02 20:29:25 - FOOBAR_STAT:Q_COUNT=5
2014-05-02 20:29:26 - FOOBAR_STAT:Q_COUNT=1
2014-05-02 20:29:27 - FOOBAR_STAT:Q_COUNT=3
2014-05-02 20:29:28 - FOOBAR_STAT:Q_COUNT=0

I would like to extract the number after Q_COUNT and chart it.

I tried many options with timechart, count, ... not getting what i was looking for.
Hence, posting to this board.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎05-04-2014 10:31 AM

You can try this, but it may not work:

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| table _time qQcount

and then go to the Visualization tab and choose line chart. Also try

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart max(qCount) as TotalQCount span=1s

If Splunk can't handle the span=1s, you might need to set the span higher, like 1m, but using max(qCount) will continue to show the spikes instead of smoothing them.

Reply

lguinn2
Legend
‎05-02-2014 07:22 PM

Try this

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart sum(qCount) as TotalQCount span=15m

or maybe

yoursearchhere
| rex "Q_COUNT=(?<qCount>\d+)"
| timechart avg(qCount) as AvgQCount span=1h

You can play around with the span and the statistics, etc.

0 Karma
Reply

venkat_d
New Member
‎05-02-2014 07:56 PM

Thanks. However, my requirement is different and simple. I have values 5,1,3,0
I just want time on x-axis and count on y-axis and a simple line chart that shows spikes.

But, the splunk seems to group lines together - based on sum, avg and all other methods. So, all i am getting is a chart like value 5 was present 10 times, value 1 was present 22 times and so on.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...