Solved: Why do I only see numeric values without a decimal...

SilviaGebel · ‎04-13-2015

Hi,

I am trying to make a chart of the measured force over time.

This is the search I am using: |chart values(force) over _time
The force values are comma separated. In the chart I can only see the values that are not decimal. (which are just two events)

I am sure there is an eval command or something else that I can use in order for the values(...) function to use the values that are comma separated.

Does anyone know how to solve this?
Thank you for your advice in advance!

Silvia

martin_mueller · ‎04-14-2015

You will need to convert the German-style decimals to English-style decimals, for example something like this:

... | eval force = replace(force, ",", ".") | ...

Then Splunk will treat them as decimals rather than strings.

Do you have multiple values for one _time value? If so, using values(force) will return a multi-valued field with all values of force for that timestamp, which again would not be chartable.

View solution in original post

fdi01 · ‎04-14-2015

try with stats command like this:
...|stats values(force) by _time
or
...|stats list(force) by _time

martin_mueller · ‎04-14-2015

chart and stats should be treating numbers the same way, so this doesn't help.

martin_mueller · ‎04-14-2015

You will need to convert the German-style decimals to English-style decimals, for example something like this:

... | eval force = replace(force, ",", ".") | ...

Then Splunk will treat them as decimals rather than strings.

Do you have multiple values for one _time value? If so, using values(force) will return a multi-valued field with all values of force for that timestamp, which again would not be chartable.

martin_mueller · ‎04-14-2015

Timechart buckets the data into equal time slots, eg all values in a second. That results in one value per bucket, so there has to be a reducing function. You can overcome some issues by using min, avg, and max together.

SilviaGebel · ‎04-14-2015

Ok thank you.

SilviaGebel · ‎04-14-2015

Is it possible to show all values using |timechart instead of |chart values(force) over _time ?
It seems like timechart can only be combined with avg(force) or count etc. but not with single values of single events

SilviaGebel · ‎04-14-2015

Yes, this works! Thank you so much!

martin_mueller · ‎04-13-2015

A shot in the dark: Are your decimal values possibly 0,5 for one half instead of 0.5, ie with a comma instead of a decimal point?

SilviaGebel · ‎04-13-2015

They are all seperated by a comma except for two values. For example:

5,678 MPa
4,385 MPa
6 MPa
5,015 MPa
6 MPa

In the chart i can only show these two 6 MPa.

What I want to see is a timechart, where every single measured value is shown.
Y-axis= force in MPa
X-axis= _time

aweitzman · ‎04-13-2015

Could you please provide some sample events, and the chart values you would expect to get from them?

Why do I only see numeric values without a decimal when using "|chart values(...) " for comma separated values?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?