Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why my timechart is giving an additional column called "VALUE" ?

sivagujju
New Member
‎01-28-2015 11:59 AM

I am using the below query to create a timechart.

sourcetype=xxx AND source = "xxxx"  | rex "Operation:(?[A-Z]*)"  | rex "\[Tx.*\]:\[(?.*)\]:" | transaction  TransactionId | timechart avg(duration) by Operation

There are only two possible values for Operation: GetToken, SetToken

But in the result, I am seeing 3 columns ( 3 lines in the timechart)
GetToken
SetToken
VALUE (average of GetToken, SetToken for each row)

Why does this VALUE column comes in ? It didnt happen in other queries. What am I doing wrong ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-28-2015 12:26 PM

I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:

 sourcetype=xxx AND source = "xxxx"  | rex "Operation:(?<Operation>[A-Z]*)"  | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction  TransactionId | timechart avg(duration) by Operation

Perhaps I am just unfamiliar with your extraction syntax.

View solution in original post

Reply
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-28-2015 12:26 PM

I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:

 sourcetype=xxx AND source = "xxxx"  | rex "Operation:(?<Operation>[A-Z]*)"  | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction  TransactionId | timechart avg(duration) by Operation

Perhaps I am just unfamiliar with your extraction syntax.

Reply
Solved! Jump to solution

sivagujju
New Member
‎01-28-2015 12:29 PM

Yeah. I pasted the query wrongly. Second one is the Transaction Id. This is to group the events.

sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z])" | rex "[Tx.]:[(?.*)]:" | transaction TransactionId | timechart avg(duration) by Operation

0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 12:38 PM

Have you looked at your results after each step in your search pipeline to verify that both extractions and the transaction command are working as expected?

0 Karma
Reply
Solved! Jump to solution

sivagujju
New Member
‎01-28-2015 01:19 PM

Yeah. In fact there are not many steps.
What I am trying to achieve is, a time chart on average(duration) for each operation. In the end result, I get 3 lines in the chart.
1. GetToken
2. SetToken
3. VALUE ( Where does this come from ??)

0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 01:26 PM

Yes, understood, to me it sounds like your Operation extraction rex is getting an unexpected value. Do you only see two values for that field if you remove the timechart command.

0 Karma
Reply
Solved! Jump to solution

sivagujju
New Member
‎01-29-2015 04:37 PM

Sorry for the late reply. You were right.. Thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...