Splunk Search

Question about MVfields

ifeldshteyn
Communicator

Hello there,

Is it possible to chart a multivalued field against another multivalued field of the same size?

For example MVfields Array1(1 2 3 4 5) to Array2 (A B C D E) and have a bar chart that lists X-axis Array2 vs Y-axis Array1 with bar A = 1, bar B=2, bar C=3 etc...

Something like this...

Array 1
5 X
4 X X
3 X X X
2 X X X X
1 X X X X X
  A B C D E <----Array 2

Also what about a single Array in the form of Array3(A=1 B=2 C=3 D=4 E=5) where I want the same chart drawn above?

I am looking for something where I can do...

| chart Array1 by Array2

2.) This is confusing to me. Do you always need an aggregate in order to chart something? So if I had two columns Letters (A B C D E) and Numbers (1 2 3 4 5). I would have to use avg, sum, min on one of the columns in order to chart?

So instead of having the bar chart drawn above I must combine the Letters or the Numbers column into a single value first?

3.) Is it possible in Splunk to iterate or loop over a MVfield contents and perform actions on them? To do something simple like this pseudocode

MVfield = [1 2 3 4 5]
for (int = 0; i < MVfield.length; i++)
MVfield[i]++;

and change it to [2 3 4 5 6]

Thanks 🙂

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

Kind of a longshot, but are the multivalue fields coming out of search language that you're doing yourself? ie from a stats list(foo) list(bar) search? or are they in the events themselves.

Because if you're creating them yourself then you might be going down a hard road for no reason -- If you back up a step and instead of that stats, do one of the following:

<your search> | stats count by foo bar

<your search> | chart count over bar by foo

<your search> | contingency foo bar

On the other hand, if the multivalue fields are coming right off the events, then this is not helpful. 😃

0 Karma

Lowell
Super Champion

Isn't the slope of your chart backwards? A=1 not A=5

0 Karma

Lowell
Super Champion

Let me throw out a general thought/observation before jumping into your question... It seems like your coming from a very programmatic perspective with this question. And while such a background can be quite useful at certain time when using splunk, you should try to keep in mind that it's geared towards end users, analysis, system admins (and even aiming at being management-friendly) and so therefore it generally doesn't require a programmatic thinking to get results (don't get me wrong, there are lots of goodies for programmers too). I'm just trying to point out that it may be easier to wrap your head around getting the most out of splunk if you try to approach it from a non-programmer's perspective. Enough of that, jumping in to your question...

It seems like there's some confusion about how multi-valued fields work. If you have a set of related x-y values, you generally have one event that represents a single set of (x,y) coordinates. Not a single event that contains pairs of x/y values (which is where splunk would you the a multi-valued x and a multi-valued y. So when you ask about the pseudo-example "| chart Array1 by Array2" that would more accurately translate into trying to chart an array-of-arrays by another array-of-arrays. (Now it would be possible to collapse arrays of arrays into a single array first, perhaps that's where you questions is going... but I don't think it's supported out the box, and I suspect there may be another (easier) way)

What splunk offers

If you have multiple fields then you can unroll them with mvexpand but you can't do that with two fields at the same time. And doing two mvexpand commands back to back will not work right either.)

If you want to chart an independent list of x and y coordiantes, then I think you want to use the xyseries command. But I'm not sure how this would work exactly with multi-value fields.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...