Splunk Search

How to lump data into two groups by a field for a trendline?

splunk_question
Explorer

So I have some data which looks similar to this:

time="timevalue", name="name", measurement="value"

And I have 7 different values for name (i.e., name1, name2, etc.)
How can I group the data together so that, on the same trendline (graphing averages), it has the groups

{name1, name2}
{name3, name4, name5, name6, name7}

And performs my calculations on those.
The search right now returns an average of all events:

base search
| timechart span=12h values(measurement) as Measurement
| streamstats window=180 AVG
| table _time AVG*
0 Karma
1 Solution

adonio
Ultra Champion

try this search anywhere:

i used numeric values for measurement field and grouped with eval by names
your timechart(values) might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction

| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m 
| eval _time = starttime 
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement

the above generates fake data below is solution

| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

try this search anywhere:

i used numeric values for measurement field and grouped with eval by names
your timechart(values) might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction

| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m 
| eval _time = starttime 
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement

the above generates fake data below is solution

| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups

hope it helps

0 Karma

splunk_question
Explorer

Perfect. I've been working on it and did much the same thing. I'm rather new to Splunk and didn't know how Boolean operations were parsed, and I was trying to ram through

if(name=a OR b, " ", " ")

rather than

if(name=a OR name=b, ...)

Since the names are numeric, I was able to do

if(name<=name, ...)

But thanks for letting me know about that!

0 Karma

adonio
Ultra Champion

you bet! glad it helped 🙂

0 Karma

adonio
Ultra Champion

do you mean this:
base search
| timechart span=12h values(measurement) as Measurement by name
| streamstats window=180 AVG
| table _time AVG*

0 Karma

splunk_question
Explorer

Yes, but instead of taking the averages by each individual name, I'd like to take the averages of (name1, name2) and (names 3-7) separately, while displaying them on the same chart.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...