Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to produce multiple values graphs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a log of some metrics that look like this:
20:45:00 10.10.71.01 values : [12035313, 233658, 0, 0, 24249, 13058, 0, 229867, 0, 0, 0, 0, 24249, 0, 0, 0, 37307, 0, 257907, 42125, 320380, 0]
I can pull out each of the values and produce a table.
| rex field=_raw "\[(?.*)]"
| eval counters = split( results,",")
| eval Requests=mvindex(counters,1) etc
However, I want to produce a multiline graph, is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You could try something like this:
| makeresults count=20
| eval values="values : [".random().", ".random().", ".tostring(random()%2).", ".tostring(random()%1).", ".random()."]"
| eval ip="127.0.0.1"
| eval _time = _time - random()%600
| eval _raw=strftime(_time, "%H:%M:%S")." ".ip." ".values
| rename COMMENT as "--- Sample Generated Values above ---"
| rex field=_raw "\[(?<results>.*)\]"
| eval counters = split( results,", ")
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterType CounterValue _raw
| timechart max(CounterValue) as CounterValue by CounterType
| fillnull value=0
Hope it helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You could try something like this:
| makeresults count=20
| eval values="values : [".random().", ".random().", ".tostring(random()%2).", ".tostring(random()%1).", ".random()."]"
| eval ip="127.0.0.1"
| eval _time = _time - random()%600
| eval _raw=strftime(_time, "%H:%M:%S")." ".ip." ".values
| rename COMMENT as "--- Sample Generated Values above ---"
| rex field=_raw "\[(?<results>.*)\]"
| eval counters = split( results,", ")
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterType CounterValue _raw
| timechart max(CounterValue) as CounterValue by CounterType
| fillnull value=0
Hope it helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval index_counters=mvzip(mvrange(0, mvcount(counters), 1), counters, "-")
| mvexpand index_counters
| eval index_counters=split(index_counters, "-")
| eval CounterType=mvindex(index_counters, 0)
| eval CounterValue=mvindex(index_counters, 1)
| fields _time CounterTypes CounterValue _raw | sort _time
| table CounterValue , CounterTypes, _time
When I run this query, I get a result of 21 counterTypes, starting a 0
When I replace the last line with
| timechart max(CounterValue) as CounterValue by CounterType
in the preview there is only 11 columns including others, the other counter types are missing
0 1 10 11 12 13 14 15 16 17 OTHER
and when look at the visualizations the legend only includes the value above and there is a diagonal line going up from left to right
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this:
...
| timechart max(CounterValue) as CounterValue by CounterType limit=0 useother=0
And in visualizations choose Line Chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay that fixed it so I get all the counter types.
The lines were not being drawn. I found i had another problem with
| eval counters = split( results,",")
changed it to so there is a space after the comma and all the line get drawn
| eval counters = split( results,", ")
Now I need to figure out how to change the CounterType from a number to the correct name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use rename at the end of the search string:
....
| rename 0 as Zero_Counter, 1 as First_Counter ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a week of putting out other fires
Okay that works as long as you don't use the Trellis layout
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Telemetry Pipeline Management
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
