Splunk Search
Highlighted

stats values on x-axis and y-axis

Path Finder
basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| table totaltime,duration
| stats or timechart or chart would like to populate totaltime in x-axis and duration in y-axis

would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis . Some how I am using stats and I am getting the values and unable to see the graph.attached is the statistics table image from my search

sample data:
28820.220: [Full GC (System.gc()) 8832K->8624K(37888K), 0.0261704 secs]
29372.500: [Full GC (Allocation Failure) 23984K->8816K(37888K), 0.0013546 secs]
29932.500: [Full GC (Allocation Failure) 24176K->8808K(37888K), 0.0017082 secs]
30492.500: [Full GC (Allocation Failure) 24168K->8960K(37888K), 0.0017122 secs]
31047.500: [Full GC (Allocation Failure) 24320K->8944K(37888K), 0.0020634 secs]
31602.500: [Full GC (Allocation Failure) 24304K->8992K(37888K), 0.0017542 secs]
32157.500: [Full GC (Allocation Failure) 24352K->8968K(37888K), 0.0018971 secs]
32420.247: [Full GC (System.gc()) 16160K->8944K(37888K), 0.0012816 secs]
8186.000: [Full GC (Allocation Failure) 91332K->36212K(246272K), 0.0081127 secs]
8347.676: [Full GC (System.gc()) 42225K->35996K(246272K), 0.0040077 secs]
8347.678: [Full GC (System.gc()) 35996K->21313K(246272K), 0.1147433 secs]
8929.342: [Full GC (Allocation Failure) 76609K->24356K(246784K), 0.0047687 secs]
8952.577: [GC (Allocation Failure) 80164K->29098K(246272K), 0.0053928 secs]
9921.694: [Full GC (Allocation Failure) 84906K->27626K(247808K), 0.0053474 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma
Highlighted

Re: stats values on x-axis and y-axis

Path Finder

alt text

alt text

attachment for the post

0 Karma
Highlighted

Re: stats values on x-axis and y-axis

Legend

@nagaraju_chittathuru, try the following. Since your data is multivalued it can not be plotted on a chart.
Assuming each totaltime is mapped one-to-one with a duration, you can use mvzip() to stitch two multivalued fields and then use mvexpand followed by split() to get single valued field in table.

 basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| eval data=mvzip(totaltime, duration)
| mvexpand data
| eval data=split(data,",")
| eval totaltime=mvindex(data,0)
| eval duration=mvindex(data,1)
| table totaltime duration

Looking at your data seems like you are doing something wrong in event breaking and event timestamp recognition. Please reevaluate the same as it is better to identify correct events breaking and timestamp while indexing rather than during search time.




| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: stats values on x-axis and y-axis

Path Finder

@niketnilay: This works fine. Quick question on the event split. below is the data it flows to splunk as one file.somehow splunk is splitting the whole file as one event. Is this below sample data supposed to split as 6 events?please clarify

Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE (1.8.0141-b15), built on Sep 11 2017 03:25:22 by "javare" with gcc 4.3.0 20080428
Memory: 4k page, physical 132155544k(50054816k free), swap 33553404k(33517360k free)
4.493: [Full GC (System.gc()) 671129K->61731K(32156672K), 0.1042161 secs]
4.597: [Full GC (System.gc()) 61731K->60858K(32156672K), 0.2231717 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma
Highlighted

Re: stats values on x-axis and y-axis

Legend

How many lines maximum can each file have? If this is not huge and performance of your regular Expression and multi-value field handling commands is under expected norms then you can ignore splitting of events upfront and live with what you currently have.

Anyways your events will have File Built Time as its event timestamp (i.e. time), so if you plan for event timestamp recognition and event breaking, all you need to do is to set the`SHOULDLINEMERGEoption tofalseinprops.conffor yoursourcetype`. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Setsourcetype

You should also read about whether the type of data from the type of system you have already have default sourcetype, Splunk add on or Splunk App available or not. Sorry but I am not aware of JVMs, but someone else might be able to help based on the Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE snippet that you have provided.

alt text

[ your_jvm_sourcetype]
SHOULD_LINEMERGE=false



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: stats values on x-axis and y-axis

Splunk Employee
Splunk Employee

Hey @nagaruju_chittathuru, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Highlighted

Re: stats values on x-axis and y-axis

Path Finder

@Ifedak: its my pleasure to accept for such a kind of help from the community.Infact was discussing the answer further that's where I was waiting to accept.now accepted and thanks for reminder 🙂

0 Karma