Splunk Search

Are strings allowed in a chart statistics view?

milande
Path Finder

Hi,

I am trying to display some test results and by using following search string I am getting what I want:

… | chart count(eval(testStepStatus=="FAIL")) by Datum, systemIDPair

Here please see the attachment to get idea how it looks like:
http://i.imgur.com/Jhls1xO.jpg

But since the requirements have been changed, I need to put not the numbers in table cells but strings(hold in field resultString) like “1,1,0,-” so I should/would change search string into something like:

… | chart first(resultString) by Datum, systemIDPair

Where resultString can have some special character arrays like “1,1,0,-” or “1,0,0,1” or like this “-,-,-,-”.
So is it possible to create “Statistic-Tab-View" with Splunk chart function having in the cells such “strings” and not just numbers(string can give more information as just single number) ?

(Edited)
So for example if events in Splunk Index are following:

Datum       resultString   systemIDPair
01.012015   "1,1,0,-"      "1/01"
01.012015   "1,0,0,1"      "1/04"
01.012015   "-,-,-,-"      "1/05"
02.012015   "0,1,0,-"      "1/01"
02.012015   "0,0,0,1"      "1/04"
02.012015   "0,-,-,-"      "1/05"
...

I do expect table view as following:
http://i.imgur.com/7IC3fmu.jpg

Best regards,
Milan

Tags (3)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I'm not 100% sure I understand the question, but if I am reading it correctly I think you can do what you want.

The things to look at are using the eval function (specifically probably "case" but others may apply too) or rex to build strings based on... well, on whatever you want, then once you have resultString done the way you want, there are many options for creating tables, calculating statistics or whatever you would like.

For instance, given a search like "index=_internal" returns a whole bunch of lines, some of which have "TailDatabaseMonitor", others which have "Scheduler" in them and others that have neither. Now, keep in mind this is pretty much a nonsense dataset, but it'll work for an example.

index=_internal | eval resultString=case(match(_raw,"TailDatabaseMonitor"),"ContainsItem1",match(_raw,"Scheduler"),"ContainsItem2",1==1,"ItemNeither") 

That eval does a case statement (http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commonevalfunctions) using "match" to check if the various strings exist in the raw data. The last two items in the case, 1==1, "ItemNeither") sets up a default. 1 always equals one, so if nothing else matched then resultString gets set to ItemNeither.

After this, I have resultString that, for my past 60 minutes on this indexer gives 32000 events, 28000 of which are "ItemNeither", a few thousand ContainsItem1 and the remainder of a few hundred set to ContainsItem2. From there, all sorts of things are possible.

For instance, ...| stats count(resultString) by resultString,host

Gives

resultString       host      count(resultString)
ContainsItem1      hostA    2914
ContainsItem2      hostB    1
ContainsItem2      hostC    813
ItemNeither         hostD   3980
ItemNeither         hostB   3688
ItemNeither         hostC   16630
ItemNeither         hostE   3450 

View solution in original post

Richfez
SplunkTrust
SplunkTrust

I'm not 100% sure I understand the question, but if I am reading it correctly I think you can do what you want.

The things to look at are using the eval function (specifically probably "case" but others may apply too) or rex to build strings based on... well, on whatever you want, then once you have resultString done the way you want, there are many options for creating tables, calculating statistics or whatever you would like.

For instance, given a search like "index=_internal" returns a whole bunch of lines, some of which have "TailDatabaseMonitor", others which have "Scheduler" in them and others that have neither. Now, keep in mind this is pretty much a nonsense dataset, but it'll work for an example.

index=_internal | eval resultString=case(match(_raw,"TailDatabaseMonitor"),"ContainsItem1",match(_raw,"Scheduler"),"ContainsItem2",1==1,"ItemNeither") 

That eval does a case statement (http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commonevalfunctions) using "match" to check if the various strings exist in the raw data. The last two items in the case, 1==1, "ItemNeither") sets up a default. 1 always equals one, so if nothing else matched then resultString gets set to ItemNeither.

After this, I have resultString that, for my past 60 minutes on this indexer gives 32000 events, 28000 of which are "ItemNeither", a few thousand ContainsItem1 and the remainder of a few hundred set to ContainsItem2. From there, all sorts of things are possible.

For instance, ...| stats count(resultString) by resultString,host

Gives

resultString       host      count(resultString)
ContainsItem1      hostA    2914
ContainsItem2      hostB    1
ContainsItem2      hostC    813
ItemNeither         hostD   3980
ItemNeither         hostB   3688
ItemNeither         hostC   16630
ItemNeither         hostE   3450 

Richfez
SplunkTrust
SplunkTrust

Another option:

'..| timechart latest(resultString) by host'

In my example above gets a list structured much like what you showed in your latest screenshot. It has a feel of being delicate (may require certain "span=x" options and may only be "right" over certain time frames, and will definitely take some playing around to get it right, but this may be enough to get you on the right path.

0 Karma

milande
Path Finder

Hi rich7177,

first thanks for giving your explanation. Did you took a look at my table here?
http://i.imgur.com/Jhls1xO.jpg

I could not upload picture directly here (because my credit is not so big). In my case I have variable systemIDPair having following values 1/01, 1/04, 1/05, ... on "vertical axis" and that is what I get automatically when I use chart function. What you did is making a table with some count in one raw but what I want it to make table with those special strings at the place of numbers. If events in Splunk Index are following:

Datum resultString systemIDPair
01.012015 "1,1,0,-" "1/01"
01.012015 "1,0,0,1" "1/04"
01.012015 "-,-,-,-" "1/05"
02.012015 "0,1,0,-" "1/01"
02.012015 "0,0,0,1" "1/04"
02.012015 "0,-,-,-" "1/05"
...

I do expect table view as following:
http://i.imgur.com/7IC3fmu.jpg

so as you can see elements in this tables are not counts or numbers but strings like: "1,1,0,-",...So my question is if it possible to create table with non number values ?

Best regards,
Milan

0 Karma

Richfez
SplunkTrust
SplunkTrust

Thanks for clarifying. Might have something closer above.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...