Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

chart versioning value

Javo222
Path Finder
‎11-01-2014 04:27 PM

Hi,

I'm sure my question is really simple but I've been trying to chart something for a long time and I can't find any similar answer.
I have the following data that I would like to chart either as a line or as un-linked dots:

2014-10-09 11:24:18,867  Starting Service, Version=4.05.009
2014-10-09 09:42:55,700  Starting Service, Version=3.78
2014-10-09 09:41:22,002  Starting Service, Version=3.24.056
2014-10-09 08:40:42,875  Starting Service, Version=3.17

How can I achieve that?
My field is already extracted with the name Starting_Service
Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-01-2014 04:42 PM

I think the key here is to make the multi-dotted version chartable, ie convert it into a number. Here's an example:

| stats count | eval data = "2014-10-09 11:24:18,867 Starting Service, Version=4.05.009
2014-10-09 09:42:55,700 Starting Service, Version=3.78
2014-10-09 09:41:22,002 Starting Service, Version=3.24.056
2014-10-09 08:40:42,875 Starting Service, Version=3.17" | makemv data delim="
" | mvexpand data | rex field=data "^(?<_time>.{23}).*?Version=(?<version>.*)" | eval _time = strptime(_time, "%F %T,%3N")
| eval version_number = tonumber(replace(version, "(\..*)\.", "\1")) | timechart min(version_number) max(version_number)

Note, the line breaks in the strings are necessary to generate this dummy data on-the-lazy.

The key part is the last eval, turning a string with two dots into a decimal number. Needs a little TLC if your versions can have more than just two dots.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...