Splunk Search

Chart with values only

vdevarayan
Path Finder

I have a comma separated logfile. Lets assume the columns are url, latency.
Example records are like this:
abc,100
cde,10
zzz, 50
...

Now, I am interested a simple bar/line chart over the sorted values of second column (latency)
After sorting, my values are 10, 50, 100.
When an event happened is not important - bcos i am interested in the sorted values (so timechart is out question)
X-axis will have bars and y axis will have numbers (indicating latency values/limits)

I can get the sorted values easily - but charting on just the values is what giving me trouble.

Any suggestions?

0 Karma
1 Solution

ramdaspr
Contributor

Assuming you know what percentiles you are planning on plotting then its fairly simple. If you don't then it isnt and you can probably stop reading now else continue..

| chart perc50(latency) as p50, perc75(latency) as p75, perc95(latency) as p95 | transpose | rename "row 1" as Latency | sort - Latency

Of course, this means that the latency graphing is captured without any relation to which url has latency issues..

View solution in original post

ramdaspr
Contributor

Assuming you know what percentiles you are planning on plotting then its fairly simple. If you don't then it isnt and you can probably stop reading now else continue..

| chart perc50(latency) as p50, perc75(latency) as p75, perc95(latency) as p95 | transpose | rename "row 1" as Latency | sort - Latency

Of course, this means that the latency graphing is captured without any relation to which url has latency issues..

vdevarayan
Path Finder

@ramdaspr - that worked thanks 🙂

However, could you answer the second part - which is (simply given values - that i can extract out sorted in some specific way), what is the best way to chart them - line/bar/column?

Example:
Given these values, [10, 50, 20, 100, 10], how to chart it like x-axis contains 5 bars and y-axis having values 0-100?

0 Karma

ramdaspr
Contributor

How you want to display them depends on what you are trying to show with the data.

Each graph type is useful for a particular reason. You can read a bit more here and here [both are external sites]

0 Karma

ramdaspr
Contributor

If I didnt misunderstand the question, you should be able to get a sorted chart using the below query which will pick up the maximum latency per url and then sort it so that your graph will be sorted.

...| chart max(latency) as MaxLat by url | sort MaxLat
0 Karma

vdevarayan
Path Finder

Thanks for the replies.
@cpetterborg: x-axis will be used for percentile bucketing.
If I have 10 records - with latencies [100, 50, 90, 10, 10, 10, 50, 10, 50, 100], then i just want to know the percentile values of Latencies.
Assume rest of the columns are ir-relevant here.

After sorting, the values are [10, 10, 10, 10, 50, 50, 90, 90, 100, 100]
In the x-axis, the 1st thru 4th bar will have a height of 10, 4th-5th will have a height of 50 and so on.
I would like to retain the duplicates as it is relevant to percentile calculations.
In general, given a set of values (sorted or not) how to chart them?

What will in infer from this chart:
40th percentile have 10ms Latency, 60th percentile have a latency of 50ms, ...

@ramdaspr: The group by url and Max is messing up the results. I would like to have all values and not just the max values.

All I need is given values, [10, 50, 20, 100, 10], how to chart it like x-axis contains 5 bars and y-axis having values 0-100?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Is the x-axis supposed to represent the count, url, or what, if the y-axis is the latency values?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...