Re: Make line chart from 2 multivalue fields

arielamar123 · ‎08-25-2021

Hi,

I have 2 multivalue fields I want to make a simple line chart out of them.
Each event looks like this
x: [0.1,0.2,0.3,0.4,0.5] , y: [1.7, 1.4, 2.4, 5.5 ,4.7]
Where x and y are multivalue fields in the event.

The line chart should be an average graph of those values in the selected time range.

I tried using mvexpand and it didn't work.

ITWhisperer · ‎08-25-2021

| eval xy=mvzip(x,y,"!")
| mvexpand xy
| eval x=mvindex(split(xy,"!"),0)
| eval y=mvindex(split(xy,"!"),1)
| fields - xy

arielamar123 · ‎08-25-2021

I ran your query , it did nothing , the event is the same as before and I can't create a line chart out of those fields.

ITWhisperer · ‎08-25-2021

It would probably help if you gave a bit more detail about your data and your search

arielamar123 · ‎08-25-2021

My index gets the following events of this kind:
{
x: [1,2,3,4,5],
y:[7,4,1,8,3]
}

{
x: [1,2,3,4,5],
y:[5,1,7,8,2]
}

I want to build a line chart of y as function of x : f(x) = y
x values are always the same and y values are changing as function of time.

The line chart I want is the average y values for each matching x value along the selected time range.

ITWhisperer · ‎08-25-2021

Still not a lot to go on - assuming you have already extracted x and y as multi-value fields, and that each event has a _time field, try this

| eval xy=mvzip(x,y,"!")
| mvexpand xy
| eval x=mvindex(split(xy,"!"),0)
| eval y=mvindex(split(xy,"!"),1)
| fields - xy
| xyseries _time x y

Make line chart from 2 multivalue fields

chart

fields

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes