I have a line being logged similar to
Foo_Thing=10.0 Foo_Thing2=12.2 Foo_OtherThing=34.5 Foo_YetAnotherThing2=43.3
What I want to do is create a chart of these values (possibly a pie chart) but so far I have not been able to get BOTH the value AND the label into the chart like I want.
I have tried lots of things, like extract
, kvpairs
, etc, etc... this is the closest I can come
sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 | chart max(perc) by ftype
Of course this charts each ftype by the max value of the perc, so 43.3 for all. I have attempted using the function values
, but this maps every value to every ftype, which is also not what I want. What can I do to capture the field name AND field value and have them paired up so charting makes sense?
While you may already have found a workable solution, I'd like to pick up on this search from your question:
sourcetype="syslog" "Foo percetages" | head 1 | rex "(?P<ftype>Foo_[a-zA-Z0-9]+)=(?P<perc>[\d\.]+)" max_match=40 ( | chart removed)
Does this yield one event with two multivalue fields called ftype and perc? If so, you can turn that into forty events with singlevalue fields like this:
... | rex ... | eval temp = mvzip(ftype, perc, "=") | mvexpand temp | rex field=temp "^(?<ftype>[^=]+)=(?<perc>[^=]+)$" | chart max(perc) by ftype
The great thing about this is that you're not restricted to one event. You could throw a day's worth of events at this and run a timechart over that if you like.
Hi sberry2a,
well, you are the only one that can answer this, because you know what your expectations are and what makes sense to you or what does not.....
If you playing with values(), best thing to do is using it with timechart
this way you will get a nice chart based on _time
. If you want to use stats
or chart
you will have to decide if you want to show the max(), min(), avg(), first(), last() and so on...
Have a look at the docs on the functions for stats, chart and timechart
hope this helps to get you started building the chart you need ...
cheers, MuS
thats's nice 🙂
I ended up sending everything to | table Foo_* | transpose 40
and the visualization started working. I was under the assumption that the viz could only be generated by sending to some sort of charting function. I understand now why that was an incorrect assumption.