Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I display value of extracted numeric field in a timechart?

mikeely
Path Finder
‎08-18-2011 05:13 PM

We've got an XML file that is being parsed correctly (and easily - just piped into xmlkv) but one of the fields is numeric and I'm darned if I can figure out how to get the timechart to show the actual value for this particular field over time - timechart seems to want statistical functions like max, average, etc. rather than just throw up the value for that field.

What I'm trying to do is pretty simple and would look like this:
source="foo.xml" | xmlkv | timechart valueOf(some_numeric_value)

FWIW, it looks like the extracted field knows it's a numeric value as there is an italic (n) behind the field name.

Tags (3)
0 Karma
Reply

mikeely
Path Finder
‎08-19-2011 09:13 AM

Ah, perhaps I didn't make things clear. The file looks something like this:

<process>
<id>12345</id>
<when>Wed Aug 17 17:11:54 +0000 2011</when>
...stuff...
<fbar>6743</fbar>
</process>
<process>
<id>12346</id>
<when>Wed Aug 17 19:32:26 +0000 2011</when>
...stuff...
<fbar>3238</fbar>
</process>

So xmlkv seems to be parsing all this just fine. What I am wanting is simply a chart that plots the value of "fbar" each time it appears. Since this will always be a numeric value, it should be possible to do, right?

0 Karma
Reply

lguinn2
Legend
‎08-18-2011 10:25 PM

By definition, the timechart command requires a function as its first argument. Why? Because Splunk cannot plot every possible time on the X-axis; it must aggregate the time into ranges. The function is required for the Y-axis so that Splunk knows how to aggregate the data points consistently with the time ranges (aka spans).

So if your field is named fbar, you have to choose some function that tells Splunk how to aggregate fbar for the timechart. You have lots of choices:

timechart avg(fbar)
timechart max(fbar)
timechart sum(fbar)
timechart first(fbar)
etc.

"But," you say, "the value of fbar is the same throughout the time intervals. Why can't I just say fbar?" Sorry, you can't. But if the value of fbar really is the same, you could use first(fbar).

The complete list of functions for timechart is here

BTW, this is true for all fields, not just fields that you extracted,,,

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...