Refine your search:

We've got an XML file that is being parsed correctly (and easily - just piped into xmlkv) but one of the fields is numeric and I'm darned if I can figure out how to get the timechart to show the actual value for this particular field over time - timechart seems to want statistical functions like max, average, etc. rather than just throw up the value for that field.

What I'm trying to do is pretty simple and would look like this: source="foo.xml" | xmlkv | timechart valueOf(some_numeric_value)

FWIW, it looks like the extracted field knows it's a numeric value as there is an italic (n) behind the field name.

asked 18 Aug '11, 17:13

mikeely's gravatar image

mikeely
97219
accept rate: 16%

edited 18 Aug '11, 17:14


2 Answers:

By definition, the timechart command requires a function as its first argument. Why? Because Splunk cannot plot every possible time on the X-axis; it must aggregate the time into ranges. The function is required for the Y-axis so that Splunk knows how to aggregate the data points consistently with the time ranges (aka spans).

So if your field is named fbar, you have to choose some function that tells Splunk how to aggregate fbar for the timechart. You have lots of choices:

timechart avg(fbar)
timechart max(fbar)
timechart sum(fbar)
timechart first(fbar)
etc.

"But," you say, "the value of fbar is the same throughout the time intervals. Why can't I just say fbar?" Sorry, you can't. But if the value of fbar really is the same, you could use first(fbar).

The complete list of functions for timechart is here

BTW, this is true for all fields, not just fields that you extracted,,,

link

answered 18 Aug '11, 22:25

lguinn's gravatar image

lguinn ♦
17.4k91125
accept rate: 29%

edited 18 Aug '11, 22:26

Ah, perhaps I didn't make things clear. The file looks something like this:

<process>
<id>12345</id>
<when>Wed Aug 17 17:11:54 +0000 2011</when>
...stuff...
<fbar>6743</fbar>
</process>
<process>
<id>12346</id>
<when>Wed Aug 17 19:32:26 +0000 2011</when>
...stuff...
<fbar>3238</fbar>
</process>

So xmlkv seems to be parsing all this just fine. What I am wanting is simply a chart that plots the value of "fbar" each time it appears. Since this will always be a numeric value, it should be possible to do, right?

link

answered 19 Aug '11, 09:13

mikeely's gravatar image

mikeely
97219
accept rate: 16%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×499
×47
×15

Asked: 18 Aug '11, 17:13

Seen: 2,333 times

Last updated: 19 Aug '11, 09:13

Copyright © 2005-2014 Splunk Inc. All rights reserved.