I'm trying to plot a timechart with below data. Empty Graph is displayed on the correct X-axis and Y-axis but values are not plotted in the graph. i'm planning to keep CLASS as drop down so when particular Class is selected corresponding Timechart with mark VAL should be plotted for each roll No
INPUT DATA:
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 0, Mark = Low, VAL = 35.69959601
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 1, Mark = Low, VAL = 25.60819999
04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 2, Mark = Low, VAL = 28.43093038
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 3, Mark = Low, VAL = 79.92345495
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 4, Mark = Low, VAL = 75.12605708
04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 5, Mark = Low, VAL = 96.04065139
Source code:
host=ControlPC sourcetype="new" (CLASS AND "MARK = Low" AND INFO) | CLASS_NO = $CLASS_TOKEN$ |eval VAL = round(VAL,3) | eval info=if(sourcetype="new", VAL,Roll No) | timechart VALUES(info) usenull=false by CLASS_NO
@prysmuser, if you perform values(info)
alone in the timechart it will become a multi-value field which can not be plotted on timechart. Refer to Statistical Functions to understand how they work and when you should use them.
Following is a run anywhere example based on sample data provided (commands from | makeresults
till | KV
are used to create dummy data to test timechart command. PS: I have used cont=f
to retain only the time information where data is present and drop the other spans of time with no data.
| makeresults
| eval data="04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 0, Mark = Low, VAL = 35.69959601;04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 1, Mark = Low, VAL = 25.60819999;04 Apr 2018 14:42:32,873 [29] INFO1 - category: CLASS = A1, Roll No = 2, Mark = Low, VAL = 28.43093038;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 3, Mark = Low, VAL = 79.92345495;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 4, Mark = Low, VAL = 75.12605708;04 Apr 2018 14:42:40,537 [27] INFO2 - category: CLASS = A2, Roll No = 5, Mark = Low, VAL = 96.04065139"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "(?<time>\d{2}\s\w{3}\s\d{4}\s\d{2}\:\d{2}\:\d{2}\,\d{3})"
| eval _time=strptime(time,"%d %b %Y %H:%M:%S,%3N")
| KV
| timechart latest(VAL) as VAL by No cont=f usenull=f useother=f limit=0
| eval VAL=round(VAL,1)
Couple of questions from your query
1) In the base search sourcetype="new"
is filtered result however, however eval uses sourcetype="veganew" condition which will never be true.
2) What is NAME
field
3) You have performed aggregation of INFO field which may or may not be numeric. Only numeric data can be plotted on timechart.
Thanks for trying niketally! sourcetype="veganew" was a mistake, and i have updated my new query. My actual data is huge with 20 "CLASS" and each CLASS has 10 Roll No. I have shared only sample data. So, i'm planning to select CLASS as dropdown option and generate graph of low mark with value for each roll number.
@prysmuser, can you try the following?
host=ControlPC sourcetype="new" (CLASS AND "MARK = Low" AND INFO)
| eval CLASS_NO = $CLASS_TOKEN$
| eval VAL = round(VAL,3)
| eval info=if(sourcetype="new", VAL,'Roll No')
| timechart latest(info) by CLASS_NO usenull=f useother=f limit=0
My confusion for sourcetype="new"
is still there. If base search is filtering sourcetype
to new
, the if condition will always set info to VAL
If it does not work, take out the timechart command and check whether, prior to the timechart command, have you checked whether fields _time CLASS_NO, VAL and info are populating values as expected or not?