Solved: Cannot find remote data using timechart

huangyingleo · ‎01-04-2017

Here is my test environment, I got two VMs, PC1 and PC2, and PC1 works as a server end and PC2 as a client end. I try to collect vmstat data from PC2. I install Splunk_TA_NIX on both sides.
I can find events like this:

But when I use timechart, all data just vanish. Take a look.

I got confused. Can you give me some ideas to solve this? Thanks....

martin_mueller · ‎01-04-2017

First, flip to the other pages in the table returned by the timechart.

If that doesn't yield data, make sure the field is actually extracted correctly.

View solution in original post

Arun_N_007 · ‎01-05-2017

Try to convert loadAvgIni to number using

..|eval loadAvgIni=tonum(loadAvgIni)|timechart avg(loadAvgIni)

And then do timechart it should work...

Or

You can check loadAvgIni is extracted or not using

index=os host=PC2 sourcetype=vmstat loadAvgIni=*

If it is not returning any data you must extract the field first.

Use multikv to extract values.

index=os host=PC2 sourcetype=vmstat|multikv|timechart avg(loadAvgIni)

Regards,
Arun N

huangyingleo · ‎01-08-2017

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.

huangyingleo · ‎01-05-2017

Hi, Martin,
Can you take a look at this screenshot?

chimell · ‎01-05-2017

Hi
Verify if loadAvgIni field is well extracted .
And try using this search code :

index=os host=PC2 sourcetype=vmstat |timechart avg(loadAvgIni)

huangyingleo · ‎01-05-2017

Hi, Chimell,
I try you method and it doesnt work....
Also I try "index=os sourcetype=vmstat host=PC2 | timechart avg(threads)" and other fields like memTotalMB. Still nothing in the new form returned by timechart.....

huangyingleo · ‎01-08-2017

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.

huangyingleo · ‎01-05-2017

I checked other pages in the table returned by timechart and found nothing.
As to "make sure the field is acutally extracted correctly", how? I think I can find data by using "index=os sourcetype=vmstat" and can see events followed by searching, which means field is extracted correctly. Am I right?

martin_mueller · ‎01-04-2017

First, flip to the other pages in the table returned by the timechart.

If that doesn't yield data, make sure the field is actually extracted correctly.

martin_mueller · ‎01-05-2017

That says loadAvg1mi is a string value (see the "a"), you can't compute an average of strings.

What's the value of the field?

huangyingleo · ‎01-08-2017

Yes, Martin,
You are right! I love you!

huangyingleo · ‎01-05-2017

Hi, here is the outcome.

Search command: index=os sourcetype=vmstat host=PC2

Selected Fields

a   host    1   
a   source  1   
a   sourcetype  1

Interesting Fields

a   dest    1   
a   eventtype   1   
a   index   1   
#   linecount   1   
a   loadAvg1mi  1   
a   punct   1   
a   splunk_server   1   
a   src 1   
a   tag 8   
a   tag::eventtype  8   
a   timestamp   1

martin_mueller · ‎01-05-2017

Run index=os sourcetype=vmstat in smart mode and see if the field appears in the left bar.

huangyingleo · ‎01-05-2017

Hi, Martin,
But how to "make sure the field is actually extracted corrently"? I think I can generate events by "index=os sourcetype=vmstat" like picture 1, which means the raw data is collected.

Cannot find remote data using timechart

Search command: index=os sourcetype=vmstat host=PC2

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?