Splunk Search

How to lump data into two groups by a field for a trendline?

splunk_question
Explorer

So I have some data which looks similar to this:

time="timevalue", name="name", measurement="value"

And I have 7 different values for name (i.e., name1, name2, etc.)
How can I group the data together so that, on the same trendline (graphing averages), it has the groups

{name1, name2}
{name3, name4, name5, name6, name7}

And performs my calculations on those.
The search right now returns an average of all events:

base search
| timechart span=12h values(measurement) as Measurement
| streamstats window=180 AVG
| table _time AVG*
0 Karma
1 Solution

adonio
Ultra Champion

try this search anywhere:

i used numeric values for measurement field and grouped with eval by names
your timechart(values) might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction

| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m 
| eval _time = starttime 
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement

the above generates fake data below is solution

| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

try this search anywhere:

i used numeric values for measurement field and grouped with eval by names
your timechart(values) might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction

| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m 
| eval _time = starttime 
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement

the above generates fake data below is solution

| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups

hope it helps

0 Karma

splunk_question
Explorer

Perfect. I've been working on it and did much the same thing. I'm rather new to Splunk and didn't know how Boolean operations were parsed, and I was trying to ram through

if(name=a OR b, " ", " ")

rather than

if(name=a OR name=b, ...)

Since the names are numeric, I was able to do

if(name<=name, ...)

But thanks for letting me know about that!

0 Karma

adonio
Ultra Champion

you bet! glad it helped 🙂

0 Karma

adonio
Ultra Champion

do you mean this:
base search
| timechart span=12h values(measurement) as Measurement by name
| streamstats window=180 AVG
| table _time AVG*

0 Karma

splunk_question
Explorer

Yes, but instead of taking the averages by each individual name, I'd like to take the averages of (name1, name2) and (names 3-7) separately, while displaying them on the same chart.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...