Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unidimensional histogram (chart without "by" clause)

yoho
Contributor
‎09-27-2013 07:16 AM

I have difficulties to create a simple, unidimentional histogram. Suppose you have a log similar to this:

host=host1 sent=1 received=2

host=host2 sent=3 received=3

host=host1 sent=18 received=1

I'd like to create a simple histogram displaying the total amount of "sent" and "received", no matter what host.
The following search command doesn't give expected results because I end up with a single column with the value of 6 ("sum(received)") :

host=host* | chart sum(sent), sum(received)

What's wrong with my search?

Edit
Added pictures to clarify my question

Table view (correct):
alt text

Chart view (not correct ? or at least not what I would expect):
alt text

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-04-2013 09:57 AM

AH! OK. In a previous answer, by "columns" you meant columns in a chart and I thought you meant columns as in a table. So we were both right.

Indeed, the chart here is misinterpreting what you want. In a chart each row is a data point, the first value in that row is the main x-axis value, and any subsequent values are taken as the one or more series to be charted.

The simplest way to fix this is to tack on a transpose command to give chart data it can interpret correctly: 

 | chart sum(sent), sum(received) | transpose | rename column as type "row 1" as bytes

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-04-2013 09:57 AM

AH! OK. In a previous answer, by "columns" you meant columns in a chart and I thought you meant columns as in a table. So we were both right.

Indeed, the chart here is misinterpreting what you want. In a chart each row is a data point, the first value in that row is the main x-axis value, and any subsequent values are taken as the one or more series to be charted.

The simplest way to fix this is to tack on a transpose command to give chart data it can interpret correctly: 

 | chart sum(sent), sum(received) | transpose | rename column as type "row 1" as bytes
Reply
Solved! Jump to solution

yoho
Contributor
‎10-07-2013 01:02 AM

Thanks both for the explanation and the solution

0 Karma
Reply
Solved! Jump to solution

srioux
Communicator
‎09-27-2013 09:26 AM

Here's a search, loosely based on documentation:

host=host* | chart sum(sent) AS sumsent, sum(received) AS sumreceived by _time | eval s1="Sent Received" | makemv s1 | mvexpand s1 | eval yval=case(s1=="Sent",sumsent,s1=="Received",sumreceived) | chart sum(yval) AS Sum by s1

Documentation link:

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Chartmultipledataseries

Reply
Solved! Jump to solution

yoho
Contributor
‎09-30-2013 01:04 AM

Works perfect. I would have thought there was a simpler way though.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...