Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats values on x-axis and y-axis

nagaraju_chitta
Path Finder
‎10-09-2017 12:24 AM 
basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| table totaltime,duration
| stats or timechart or chart would like to populate totaltime in x-axis and duration in y-axis

would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis . Some how I am using stats and I am getting the values and unable to see the graph.attached is the statistics table image from my search

sample data:
28820.220: [Full GC (System.gc()) 8832K->8624K(37888K), 0.0261704 secs]
29372.500: [Full GC (Allocation Failure) 23984K->8816K(37888K), 0.0013546 secs]
29932.500: [Full GC (Allocation Failure) 24176K->8808K(37888K), 0.0017082 secs]
30492.500: [Full GC (Allocation Failure) 24168K->8960K(37888K), 0.0017122 secs]
31047.500: [Full GC (Allocation Failure) 24320K->8944K(37888K), 0.0020634 secs]
31602.500: [Full GC (Allocation Failure) 24304K->8992K(37888K), 0.0017542 secs]
32157.500: [Full GC (Allocation Failure) 24352K->8968K(37888K), 0.0018971 secs]
32420.247: [Full GC (System.gc()) 16160K->8944K(37888K), 0.0012816 secs]
8186.000: [Full GC (Allocation Failure) 91332K->36212K(246272K), 0.0081127 secs]
8347.676: [Full GC (System.gc()) 42225K->35996K(246272K), 0.0040077 secs]
8347.678: [Full GC (System.gc()) 35996K->21313K(246272K), 0.1147433 secs]
8929.342: [Full GC (Allocation Failure) 76609K->24356K(246784K), 0.0047687 secs]
8952.577: [GC (Allocation Failure) 80164K->29098K(246272K), 0.0053928 secs]
9921.694: [Full GC (Allocation Failure) 84906K->27626K(247808K), 0.0053474 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎10-09-2017 02:57 AM

@nagaraju_chittathuru, try the following. Since your data is multivalued it can not be plotted on a chart.
Assuming each totaltime is mapped one-to-one with a duration, you can use mvzip() to stitch two multivalued fields and then use mvexpand followed by split() to get single valued field in table.

 basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| eval data=mvzip(totaltime, duration)
| mvexpand data
| eval data=split(data,",")
| eval totaltime=mvindex(data,0)
| eval duration=mvindex(data,1)
| table totaltime duration

Looking at your data seems like you are doing something wrong in event breaking and event timestamp recognition. Please reevaluate the same as it is better to identify correct events breaking and timestamp while indexing rather than during search time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 05:14 PM

Hey @nagaruju_chittathuru, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply
Solved! Jump to solution

nagaraju_chitta
Path Finder
‎10-10-2017 01:02 AM

@Ifedak: its my pleasure to accept for such a kind of help from the community.Infact was discussing the answer further that's where I was waiting to accept.now accepted and thanks for reminder 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-09-2017 11:53 AM

How many lines maximum can each file have? If this is not huge and performance of your regular Expression and multi-value field handling commands is under expected norms then you can ignore splitting of events upfront and live with what you currently have.

Anyways your events will have File Built Time as its event timestamp (i.e. _time), so if you plan for event timestamp recognition and event breaking, all you need to do is to set theSHOULD_LINEMERGE option to false in props.conf for your sourcetype. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Setsourcetype

You should also read about whether the type of data from the type of system you have already have default sourcetype, Splunk add on or Splunk App available or not. Sorry but I am not aware of JVMs, but someone else might be able to help based on the Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE snippet that you have provided.

alt text

[ your_jvm_sourcetype]
SHOULD_LINEMERGE=false
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
addjvmdata.png
Preview file
93 KB
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎10-09-2017 02:57 AM

@nagaraju_chittathuru, try the following. Since your data is multivalued it can not be plotted on a chart.
Assuming each totaltime is mapped one-to-one with a duration, you can use mvzip() to stitch two multivalued fields and then use mvexpand followed by split() to get single valued field in table.

 basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| eval data=mvzip(totaltime, duration)
| mvexpand data
| eval data=split(data,",")
| eval totaltime=mvindex(data,0)
| eval duration=mvindex(data,1)
| table totaltime duration

Looking at your data seems like you are doing something wrong in event breaking and event timestamp recognition. Please reevaluate the same as it is better to identify correct events breaking and timestamp while indexing rather than during search time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

nagaraju_chitta
Path Finder
‎10-09-2017 04:59 AM

@niketn: This works fine. Quick question on the event split. below is the data it flows to splunk as one file.somehow splunk is splitting the whole file as one event. Is this below sample data supposed to split as 6 events?please clarify

Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE (1.8.0_141-b15), built on Sep 11 2017 03:25:22 by "java_re" with gcc 4.3.0 20080428
Memory: 4k page, physical 132155544k(50054816k free), swap 33553404k(33517360k free)
4.493: [Full GC (System.gc()) 671129K->61731K(32156672K), 0.1042161 secs]
4.597: [Full GC (System.gc()) 61731K->60858K(32156672K), 0.2231717 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma
Reply
Solved! Jump to solution

nagaraju_chitta
Path Finder
‎10-09-2017 02:07 AM

alt text

alt text

attachment for the post

visualizationtab.png
Preview file
25 KB
statisticstab.png
Preview file
53 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top