Splunk Search

How to group my sample events together for a timechart?

schose
Builder

Hi all,

I'm searching for a way to treat different events as one. Example: If I'm getting events like this where every field-value pair is in one event, it's easy to deal with it:

events:

1426177481 testhost=wonderserver3 running=3 sleeping=147 zombie=2
1426177492 testhost=wonderserver1 running=4 sleeping=141 zombie=2
1426177493 testhost=wonderserver2 running=1 sleeping=146 zombie=2

target: sum all key-value pairs together over the time and create a chart:

index="temp" testhost=* | eval allprocesses=running+sleeping+zombie | timechart avg(allprocesses) by testhost

but now I'm getting events looking like this:

1426179351 thost=appserver03 object=zombie value=1
1426179352 thost=appserver03 object=sleeping value=147
1426179353 thost=appserver03 object=running value=1
1426179354 thost=appserver02 object=zombie value=1
1426179355 thost=appserver02 object=sleeping value=147
1426179356 thost=appserver02 object=running value=1

What would be a good idea to group this events together? Value is always the named "value" and the key is included in object. All they have in common is a the hostname..

Thanks four your help in advance

Andreas

0 Karma
1 Solution

schose
Builder

HI all,

thanks for your answers. For me the main problem was that all values was created in the field "value". It worked much better for me to extract the fieldnames using the <_KEY_1><_VAL_1> Fields. This fields extract the names of the values "dynamic" so i get fields with e.g. running=3 sleeping=105 ...

so creating a timechart is quite easy when using search | timechart avg(running) as running avg(sleeping) as sleeping

Thx and best regards,

Andreas

View solution in original post

0 Karma

schose
Builder

HI all,

thanks for your answers. For me the main problem was that all values was created in the field "value". It worked much better for me to extract the fieldnames using the <_KEY_1><_VAL_1> Fields. This fields extract the names of the values "dynamic" so i get fields with e.g. running=3 sleeping=105 ...

so creating a timechart is quite easy when using search | timechart avg(running) as running avg(sleeping) as sleeping

Thx and best regards,

Andreas

0 Karma

ppablo
Retired

Hi @schose

Just following up with this post, but did either of the 3 responses you got here solve your question? If yes, please be sure to resolve this post by accepting the one that worked best for your case. Thanks!

0 Karma

tachifelix
Path Finder

try something like this:

index="temp" testhost=*  |bucket span=1d _time |eval allprocess=runing+sleeping+zombie |timechart avg(allprocess) 

change the span as you need

dcharb78
Engager

Quick way to group them:

index=test sourcetype="answers" | transaction maxspan=5s thost

Assuming the whatever is polling them is doing it serially and there is a max span of 5 seconds.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can try something like this but you would have to specify the timechart span (in bucket command). This example does it for a day.

index="temp" testhost=*  |bucket span=1d _time | stats sum(value) as value by _time, testhost | timechart avg(value) by testhost
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...