- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to produce multiple values graphs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a log of some metrics that look like this:
20:45:00 10.10.71.01 values : [12035313, 233658, 0, 0, 24249, 13058, 0, 229867, 0, 0, 0, 0, 24249, 0, 0, 0, 37307, 0, 257907, 42125, 320380, 0]
I can pull out each of the values and produce a table.
| rex field=_raw "\[(?.*)]"
| eval counters = split( results,",")
| eval Requests=mvindex(counters,1) etc
However, I want to produce a multiline graph, is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You could try something like this:
| makeresults count=20
| eval values="values : [".random().", ".random().", ".tostring(random()%2).", ".tostring(random()%1).", ".random()."]"
| eval ip="127.0.0.1"
| eval _time = _time - random()%600
| eval _raw=strftime(_time, "%H:%M:%S")." ".ip." ".values
| rename COMMENT as "--- Sample Generated Values above ---"
| rex field=_raw "\[(?<results>.*)\]"
| eval counters = split( results,", ")
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterType CounterValue _raw
| timechart max(CounterValue) as CounterValue by CounterType
| fillnull value=0
Hope it helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You could try something like this:
| makeresults count=20
| eval values="values : [".random().", ".random().", ".tostring(random()%2).", ".tostring(random()%1).", ".random()."]"
| eval ip="127.0.0.1"
| eval _time = _time - random()%600
| eval _raw=strftime(_time, "%H:%M:%S")." ".ip." ".values
| rename COMMENT as "--- Sample Generated Values above ---"
| rex field=_raw "\[(?<results>.*)\]"
| eval counters = split( results,", ")
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterType CounterValue _raw
| timechart max(CounterValue) as CounterValue by CounterType
| fillnull value=0
Hope it helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterTypes CounterValue _raw | sort _time
| table CounterValue , CounterTypes, _time
When I run this query, I get a result of 21 counterTypes, starting a 0
When I replace the last line with
| timechart max(CounterValue) as CounterValue by CounterType
in the preview there is only 11 columns including others, the other counter types are missing
0 1 10 11 12 13 14 15 16 17 OTHER
and when look at the visualizations the legend only includes the value above and there is a diagonal line going up from left to right
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this:
...
| timechart max(CounterValue) as CounterValue by CounterType limit=0 useother=0
And in visualizations choose Line Chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay that fixed it so I get all the counter types.
The lines were not being drawn. I found i had another problem with
| eval counters = split( results,",")
changed it to so there is a space after the comma and all the line get drawn
| eval counters = split( results,", ")
Now I need to figure out how to change the CounterType from a number to the correct name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use rename at the end of the search string:
....
| rename 0 as Zero_Counter, 1 as First_Counter ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a week of putting out other fires
Okay that works as long as you don't use the Trellis layout
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
