chart versioning value

Javo222 · ‎11-01-2014

Hi,

I'm sure my question is really simple but I've been trying to chart something for a long time and I can't find any similar answer.
I have the following data that I would like to chart either as a line or as un-linked dots:

2014-10-09 11:24:18,867  Starting Service, Version=4.05.009
2014-10-09 09:42:55,700  Starting Service, Version=3.78
2014-10-09 09:41:22,002  Starting Service, Version=3.24.056
2014-10-09 08:40:42,875  Starting Service, Version=3.17

How can I achieve that?
My field is already extracted with the name Starting_Service
Thanks

martin_mueller · ‎11-01-2014

I think the key here is to make the multi-dotted version chartable, ie convert it into a number. Here's an example:

| stats count | eval data = "2014-10-09 11:24:18,867 Starting Service, Version=4.05.009
2014-10-09 09:42:55,700 Starting Service, Version=3.78
2014-10-09 09:41:22,002 Starting Service, Version=3.24.056
2014-10-09 08:40:42,875 Starting Service, Version=3.17" | makemv data delim="
" | mvexpand data | rex field=data "^(?<_time>.{23}).*?Version=(?<version>.*)" | eval _time = strptime(_time, "%F %T,%3N")
| eval version_number = tonumber(replace(version, "(\..*)\.", "\1")) | timechart min(version_number) max(version_number)

Note, the line breaks in the strings are necessary to generate this dummy data on-the-lazy.

The key part is the last eval, turning a string with two dots into a decimal number. Needs a little TLC if your versions can have more than just two dots.

chart versioning value

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor