Splunk Search

How to plot a timechart so the values are plotted correctly for the search?

prysmuser
New Member

I'm trying to plot a timechart with below data. Empty Graph is displayed on the correct X-axis and Y-axis but values are not plotted in the graph. i'm planning to keep CLASS as drop down so when particular Class is selected corresponding Timechart with mark VAL should be plotted for each roll No

INPUT DATA:
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 0, Mark = Low, VAL = 35.69959601
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 1, Mark = Low, VAL = 25.60819999
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 2, Mark = Low, VAL = 28.43093038
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 3, Mark = Low, VAL = 79.92345495
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 4, Mark = Low, VAL = 75.12605708
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 5, Mark = Low, VAL = 96.04065139

Source code:

host=ControlPC sourcetype="new"  (CLASS AND "MARK = Low" AND INFO) | CLASS_NO = $CLASS_TOKEN$ |eval VAL = round(VAL,3)  | eval info=if(sourcetype="new", VAL,Roll No) | timechart VALUES(info) usenull=false by CLASS_NO
0 Karma

niketn
Legend

@prysmuser, if you perform values(info) alone in the timechart it will become a multi-value field which can not be plotted on timechart. Refer to Statistical Functions to understand how they work and when you should use them.

Following is a run anywhere example based on sample data provided (commands from | makeresults till | KV are used to create dummy data to test timechart command. PS: I have used cont=f to retain only the time information where data is present and drop the other spans of time with no data.

|  makeresults
|  eval data="04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 0, Mark = Low, VAL = 35.69959601;04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 1, Mark = Low, VAL = 25.60819999;04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 2, Mark = Low, VAL = 28.43093038;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 3, Mark = Low, VAL = 79.92345495;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 4, Mark = Low, VAL = 75.12605708;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 5, Mark = Low, VAL = 96.04065139"
|  makemv data delim=";" 
|  mvexpand data
|  rename data as _raw
|  rex "(?<time>\d{2}\s\w{3}\s\d{4}\s\d{2}\:\d{2}\:\d{2}\,\d{3})"
|  eval _time=strptime(time,"%d %b %Y %H:%M:%S,%3N")
|  KV
|  timechart latest(VAL) as VAL by No cont=f usenull=f useother=f limit=0
|  eval VAL=round(VAL,1)

Couple of questions from your query
1) In the base search sourcetype="new" is filtered result however, however eval uses sourcetype="veganew" condition which will never be true.
2) What is NAME field
3) You have performed aggregation of INFO field which may or may not be numeric. Only numeric data can be plotted on timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prysmuser
New Member

Thanks for trying niketally! sourcetype="veganew" was a mistake, and i have updated my new query. My actual data is huge with 20 "CLASS" and each CLASS has 10 Roll No. I have shared only sample data. So, i'm planning to select CLASS as dropdown option and generate graph of low mark with value for each roll number.

0 Karma

niketn
Legend

@prysmuser, can you try the following?

 host=ControlPC sourcetype="new"  (CLASS AND "MARK = Low" AND INFO) 
| eval CLASS_NO = $CLASS_TOKEN$ 
| eval VAL = round(VAL,3)  
| eval info=if(sourcetype="new", VAL,'Roll No') 
| timechart latest(info) by CLASS_NO usenull=f useother=f limit=0

My confusion for sourcetype="new" is still there. If base search is filtering sourcetype to new, the if condition will always set info to VAL

If it does not work, take out the timechart command and check whether, prior to the timechart command, have you checked whether fields _time CLASS_NO, VAL and info are populating values as expected or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...