Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Selecting which fields to plot based on subsearch

mboisson
Engager
‎12-04-2014 06:49 AM

Hi,
I am trying to create a timechart which data would be based on a subsearch. Here is what I have so far : 

index=perf_mon test_nvidia |  | timechart bins=100 [search  | rex mode=sed field=gpus "s/GPU(\d+)/avg(mem_used\1_GB) as GPU\1,/g" | nomv gpus | rename gpus as search| format "" "" "" "" "" "by host" | rex mode=sed field=search "s/\"//g"]

The first search yields fields named

mem_used0_GB
...
mem_used7_GB

Now, the subsearch 

| rex mode=sed field=gpus "s/GPU(\d+)/avg(mem_used\1_GB) as GPU\1,/g" | nomv gpus | rename gpus as search| format "" "" "" "" "" "by host" | rex mode=sed field=search "s/\"//g"
produces a single field called "search", which contains : 
 avg(mem_used4_GB) as GPU4, avg(mem_used5_GB) as GPU5, by host

However, when I add the subsearch to the timechart command, Splunk gives me the error : 

Error in 'timechart' command: The argument ' avg(mem_used5_GB)' is invalid.

What am I doing wrong ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mboisson
Engager
‎12-04-2014 07:51 AM

I have not managed to do it within the timechart command. However, it works if I first do it in a "fields" command, aka : 

index=perf_mon test_nvidia | fields [search ... ],_*,host | timechart ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mboisson
Engager
‎12-04-2014 07:51 AM

I have not managed to do it within the timechart command. However, it works if I first do it in a "fields" command, aka : 

index=perf_mon test_nvidia | fields [search ... ],_*,host | timechart ...
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...