Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timecharting multiple lines..!

minkyuk
Explorer
‎07-17-2015 09:14 AM

Hello, I have a question regarding timecharting multiple lines on one chart by Datacenter, but x-axis being Metric time and Y-axis being usedpct.

DATACENTER METRIC_DATE USEDPCT
Seoul, Korea 1393390800.000 59.1
Busan, Korea 1393390800.000 5.6
Seoul, Korea 1393477200.000 62.4
Busan, Korea 1393477200.000 5.31
Seoul, Korea 1393563600.000 59.4
Busan, Korea 1393563600.000 3.66
...
How could I accomplish this?

|inputlookup foo.csv|timechart span=86400s max(USEDPCT) by DATACENTER gives me no result for some reason

I would appreciate your help-

Jack

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 09:46 AM

You have the correct search but your input file is NOT a csv, it is a tsv, which Splunk cannot handle directly on-the-fly. You can handle it by adding a full-blown monitor input with inputs.conf and props.conf (which can be programmed to tell Splunk it is a tsv) or you can change the file by swapping the tabs for commas; then it will work. Short of that, we have to start from scratch and work with the _raw event because the automatic csv-based field extractions are hopelessly broken.

Ignoring the timestamp, you can make it work like this:

| inputlookup foo.csv | rex "(?<DATACENTER>\S+\s+\S+)\s+(?<METRIC_DATE>\S+)\s+(?<USEDPCT>.*)" | stats max(USEDPCT) BY DATACENTER

Trying to use time, this should work:

| inputlookup foo.csv | rex "(?<DATACENTER>\S+\s+\S+)\s+(?<METRIC_DATE>\S+)\s+(?<USEDPCT>.*)" | eval _time=METRIC_DATE | timechart span=86400s max(USEDPCT) BY DATACENTER
0 Karma
Reply

jimodonald
Contributor
‎07-17-2015 09:33 AM

I suspect that Splunk does not know that "METRIC_DATE" is a time parameter. Try it this way:

| inputlookup foo.csv | rename METRIC_DATE as _time | timechart span=1d max(USEDPCT) by DATACENTER
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2015 09:30 AM

The problem is with your data. You have commas , in the Datacenter field. Which in effect makes DATACENTER equal to Seoul or Busan and Metric_date equal to Korea.

You can fix this by updating the header of the CSV file to dc_city,dc_country,metric_date,usedpct, and then do this search:

|inputlookup foo.csv|eval DATACENTER = dc_city.", ".dc_country | timechart span=86400s max(USEDPCT) by DATACENTER

If you don't want to change the header, then you need to change the data.

"Seoul, Korea", 1393563600.000, 59.4
Reply

minkyuk
Explorer
‎07-17-2015 09:33 AM

My datacenter string is already "Seoul, Korea" so I'm assuming it's treated as one..

0 Karma
Reply

minkyuk
Explorer
‎07-17-2015 09:36 AM

Thank you, got it to work.
By any chance, I'm getting OTHER field since I have 10+ different datacenters, but how could I drill-down or change settings to prevent Splunk from making OTHER automatically

0 Karma
Reply

dflodstrom
Builder
‎07-17-2015 09:58 AM

add useother=f to the timechart portion of your query. use limit=x to limit your results.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...