I am trying to draw a line graph with multiple points for each instance of time.
Say I have this:
1. cmdTop1='/usr/sbin/cmd1'; cmdTop2='/usr/libexec/cmd2'; cmdTop3='/usr/java/cmd3'; cpuTop1=1.1; cpuTop2=0.7; cpuTop3=0.2;
2. cmdTop1='/usr/libexec/cmd2'; cmdTop2='/usr/sbin/cmd1'; cmdTop3='/usr/java/cmd3'; cpuTop1=3.2; cpuTop2=1.4; cpuTop3=0.1;
cmdTop* are arbitrary process running paths
cpuTop* are process running cpu usages
The integer corresponds to the rank of each process's cpu usage for that given time and are not related to the other messages.
I would like to have a line graph that shows:
What I have so far is I can separate these values into two mv columns with corresponding command and CPU values:
my base search | rex max_match=0 "cmdTop\d+=(?<Command>[^;]+)" | rex max_match=0 "cpuTop\d+=(?<CPU>[^;]+)" | table Command CPU
I can't seem to get any further with this, help would be greatly appreciated!
EDIT: Some additional information.
These lines are not guaranteed to be continuous, or even unique. Multiple commands may have the same command name. Given the following example:
cmdTop1='/usr/java/latest/bin/java -cp foo'; cmdTop2='/usr/java/latest/bin/java -cp foo'; cmdTop3='/usr/java/latest/bin/java -cp foo'; cpuTop1=8.0; cpuTop2=4.0; cpuTop3=2.0;
cmdTop1='/usr/java/latest/bin/java -cp foo'; cmdTop2='/usr/java/latest/bin/java -cp foo'; cmdTop3='/usr/java/latest/bin/java -cp foo'; cpuTop1=16.0; cpuTop2=8.0; cpuTop3=4.0;
It would not be possible to assign a line to an instance of /usr/java/latest/bin/java -cp foo, the graph would have to guess/arbitrarily assign values. This is an edge case that is impossible to solve given the dataset.
Ended up going with a kludgey workaround to this answer.
- Evaluate each paring, setting the column to be equal to the current instance's command value
- Set the rows to be the current snapshot of the CPU usage
- Append a suffix string of C1-5 to ensure uniqueness (assuming only 5 entries currently, above examples only have 3
- Pull out the current epoch time from each message, use that for X
my base search | eval C1.{cmdTop1}=cpuTop1 | eval C2.{cmdTop2}=cpuTop2 | eval C3.{cmdTop3}=cpuTop3 | eval C4.{cmdTop4}=cpuTop4 | eval C5.{cmdTop5}=cpuTop5 | eval Time=strftime(epochtime, "%m/%d/%y %H:%M:%S %Z") | table Time C1* C2* C3* C4* C5*
This gives us something nice like this:
Don't think there's a better way beyond this.
Ended up going with a kludgey workaround to this answer.
- Evaluate each paring, setting the column to be equal to the current instance's command value
- Set the rows to be the current snapshot of the CPU usage
- Append a suffix string of C1-5 to ensure uniqueness (assuming only 5 entries currently, above examples only have 3
- Pull out the current epoch time from each message, use that for X
my base search | eval C1.{cmdTop1}=cpuTop1 | eval C2.{cmdTop2}=cpuTop2 | eval C3.{cmdTop3}=cpuTop3 | eval C4.{cmdTop4}=cpuTop4 | eval C5.{cmdTop5}=cpuTop5 | eval Time=strftime(epochtime, "%m/%d/%y %H:%M:%S %Z") | table Time C1* C2* C3* C4* C5*
This gives us something nice like this:
Don't think there's a better way beyond this.