- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Extract_values from String and plot the graph acco...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,I have the following string which is continuously changing its type1,2,3 values ..
"msg count 95, time 2000111, rate: type1=0 type2=9.5 type3=0 type4=0 type5=8"
the value of {type1,type2,type3,type4,type5 } and time is changing in each message.
I want to plot a Bar-chart graph in which time is on X-axis and {type1, type2,..} value is on y-axis
how can I extract all the " typen=value" and plot the graph accordingly to value with my own time field also..
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:- I am not sure what format your time value is, So I am just taking this
your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:- I am not sure what format your time value is, So I am just taking this
your base search | rex " time (?<timestamp>[^,]+)"| rex max_match=0 "(?<type>\w+)=(?<value>[^ ]+)" | table timestamp, type, value| eval newfield=mvzip(type,value) | mvexpand newfield | rex field=newfield "(?<type>.*),(?<value>.*)" | chart first(value) over type by timestamp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wo0W Great !
Thanks alot man.it works fine in tabular form extract the values of type and also show the time-stamp..
i just want to show the type field which is {20.23.25.50.56}
and its values on the bar graph. Does it works ?? on graph it shows some thing strange..
thanks again
..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do this
yoursearchhere
| table timestamp type*
And then choose the type of chart that you want in the "Visualization" tab.
This assumes that you do not need to summarize the data. If you need to calculate the values for a span of an hour, for example:
yoursearchhere
| eval timestamp=strptime(yourtimestamp,"%format")
| bucket timestamp span=1h
| chart avg(type*) as type* by timestamp
This assumes that your timestamp field is not in Linux epoch time format. If it is, you can leave off the eval command. "%format" depends on the format of your timestamp - you can get more information here: Splunk common time format variables
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Lguinn, for your reply 🙂 Actually my string has these values whic is changing
time 2000111, rate: 20=3 22=9.5 25=0 26=2
time 2000137, rate: 20=7 22=5.6 25=3 26=0
time 2000092, rate: 20=0 22=9.5 25=0 26=0
I want to plot a real-time graph which look like this. a) Each time parse the sting and Extract the values of {20,22,25,26,50,51} and store it to some variables like 20=x,22=y,25=z..so on. and then plot a bar chart according to(X,Y,Z) and time in the string as refernece..
I don't know how to extact values and store them into variables
a Please help ..
thanks again
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
