Splunk Search

Why do I only see numeric values without a decimal when using "|chart values(...) " for comma separated values?

SilviaGebel
Path Finder

Hi,

I am trying to make a chart of the measured force over time.

This is the search I am using: |chart values(force) over _time
The force values are comma separated. In the chart I can only see the values that are not decimal. (which are just two events)

I am sure there is an eval command or something else that I can use in order for the values(...) function to use the values that are comma separated.

Does anyone know how to solve this?
Thank you for your advice in advance!

Silvia

Tags (4)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You will need to convert the German-style decimals to English-style decimals, for example something like this:

... | eval force = replace(force, ",", ".") | ...

Then Splunk will treat them as decimals rather than strings.

Do you have multiple values for one _time value? If so, using values(force) will return a multi-valued field with all values of force for that timestamp, which again would not be chartable.

View solution in original post

fdi01
Motivator

try with stats command like this:
...|stats values(force) by _time
or
...|stats list(force) by _time

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

chart and stats should be treating numbers the same way, so this doesn't help.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You will need to convert the German-style decimals to English-style decimals, for example something like this:

... | eval force = replace(force, ",", ".") | ...

Then Splunk will treat them as decimals rather than strings.

Do you have multiple values for one _time value? If so, using values(force) will return a multi-valued field with all values of force for that timestamp, which again would not be chartable.

martin_mueller
SplunkTrust
SplunkTrust

Timechart buckets the data into equal time slots, eg all values in a second. That results in one value per bucket, so there has to be a reducing function. You can overcome some issues by using min, avg, and max together.

0 Karma

SilviaGebel
Path Finder

Ok thank you.

0 Karma

SilviaGebel
Path Finder

Is it possible to show all values using |timechart instead of |chart values(force) over _time ?
It seems like timechart can only be combined with avg(force) or count etc. but not with single values of single events

0 Karma

SilviaGebel
Path Finder

Yes, this works! Thank you so much!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A shot in the dark: Are your decimal values possibly 0,5 for one half instead of 0.5, ie with a comma instead of a decimal point?

SilviaGebel
Path Finder

They are all seperated by a comma except for two values. For example:

5,678 MPa
4,385 MPa
6 MPa
5,015 MPa
6 MPa

In the chart i can only show these two 6 MPa.

What I want to see is a timechart, where every single measured value is shown.
Y-axis= force in MPa
X-axis= _time

0 Karma

aweitzman
Motivator

Could you please provide some sample events, and the chart values you would expect to get from them?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...