Solved: How to graph values using timechart?

tgow · ‎03-28-2011

Here is a snippet from my logfile:

Mar 24 01:31:11,388  INFO [0x41401960]: NoSnmpMibInstance: CountWorker.ProcLoTimes = 11628^8861^1.31^0^291

I want to pull the number in between the 2nd and 3rd caret, create field called "plavg" and graph the values along the X axis:

| rex field=_raw "CountWorker.ProcLoTimes\s+=\s+\d+\^\d+\^(?<plavg>[^\^]+)" | timechart values(plavg)

The regex is working but the timechart is not. How do I graph the values from my logfile on a timechart? Do I have to convert the "1.31" from a string to a number?

Thanks in advance.

tgow · ‎03-28-2011

Timechart was putting the data into 10 minute buckets by default and the time interval for the events was less than a minute. This resulted in multiple values per time interval so it wouldn't graph. Here is search that worked:

| rex field=_raw "CountWorker.ProcLoTimes\s+=\s+\d+\^\d+\^(?[^\^]+)" | timechart span=30s values(plavg)

You have to use values because timechart needs a function before the field.

View solution in original post

tgow · ‎03-28-2011

Timechart was putting the data into 10 minute buckets by default and the time interval for the events was less than a minute. This resulted in multiple values per time interval so it wouldn't graph. Here is search that worked:

| rex field=_raw "CountWorker.ProcLoTimes\s+=\s+\d+\^\d+\^(?[^\^]+)" | timechart span=30s values(plavg)

You have to use values because timechart needs a function before the field.

How to graph values using timechart?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!