Solved: Re: Chart will not show all the values from my sea...

joesrepsolc · ‎05-18-2020

Doing a search that has a wide range of return values... and the largest one will not display on my chart! I have 7 evals with values, but the chart only display 6 of them! I'm going crazy.

SEARCH:
index=tomcat time_taken_ms=* sourcetype=access_common
|eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
|eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
|eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
|eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
|eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
|eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
|eval Over10s=if(time_taken_ms>=10000,1,0)
|chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s)

PICTURE OUT OUTPUT:

rmmiller · ‎05-20-2020

Although it's intuitive to us, Splunk doesn't quite understand what you're trying to do here. It's assuming your first value, which is sum(Sub1s), is the value you want to chart all of the values by or over.

Try this instead -- I've added a seemingly superfluous eval into a field named time_categories, which is then used with your chart statement:

index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_categories = "time_categories"
| eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
| eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
| eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
| eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
| eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
| eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
| eval Over10s=if(time_taken_ms>=10000,1,0)
| chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s) BY time_categories

There's also another way of doing this without so much maintenance...

If you wanted to add another time category with your current query, you'd have to add the new eval statement and update your chart statement. Rather than individual fields, why not make a single field and use an eval case combination?

index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_category = case(time_taken_ms>=200 AND time_taken_ms<1000,"Sub1s",time_taken_ms>=1000 AND time_taken_ms<2000,"Sub2s",time_taken_ms>=2000 AND time_taken_ms<3000,"Sub3s",time_taken_ms>=3000 AND time_taken_ms<4000,"Sub4s",time_taken_ms>=4000 AND time_taken_ms<5000,"Sub5s",time_taken_ms>=5000 AND time_taken_ms<10000,"Over5s",time_taken_ms>=10000,"Over10s")
| chart count by time_category

Now adding a new time category is as simple as updating the case statement. The chart statement will automatically pick it up.

Hope that helps!
rmmiller

View solution in original post

rmmiller · ‎05-20-2020

Although it's intuitive to us, Splunk doesn't quite understand what you're trying to do here. It's assuming your first value, which is sum(Sub1s), is the value you want to chart all of the values by or over.

Try this instead -- I've added a seemingly superfluous eval into a field named time_categories, which is then used with your chart statement:

index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_categories = "time_categories"
| eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
| eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
| eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
| eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
| eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
| eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
| eval Over10s=if(time_taken_ms>=10000,1,0)
| chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s) BY time_categories

There's also another way of doing this without so much maintenance...

If you wanted to add another time category with your current query, you'd have to add the new eval statement and update your chart statement. Rather than individual fields, why not make a single field and use an eval case combination?

index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_category = case(time_taken_ms>=200 AND time_taken_ms<1000,"Sub1s",time_taken_ms>=1000 AND time_taken_ms<2000,"Sub2s",time_taken_ms>=2000 AND time_taken_ms<3000,"Sub3s",time_taken_ms>=3000 AND time_taken_ms<4000,"Sub4s",time_taken_ms>=4000 AND time_taken_ms<5000,"Sub5s",time_taken_ms>=5000 AND time_taken_ms<10000,"Over5s",time_taken_ms>=10000,"Over10s")
| chart count by time_category

Now adding a new time category is as simple as updating the case statement. The chart statement will automatically pick it up.

Hope that helps!
rmmiller

joesrepsolc · ‎07-03-2020

This method works pretty well actually. Thank You. Instead of focusing on the actual time value, I can group these and just show the counts of the transactions that did happen in less than 1sec, between 2 and 3sec, etc. Charts much better. Appreciate the help. Great community.

rmmiller · ‎07-04-2020

Glad to hear it works well for you!

Happy Splunking!

-rmmiller

rmmiller · ‎05-23-2020

@joesrepsolc Did this answer your question?

Chart will not show all the values from my search.

chart

eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases