Splunk Search

How to chart a varying number of fields?

andrewjgriffin
Engager

I have message data similar to as follows, which is the count of active user processes on a host:

host=hostA user1:0 user3:12 user10:2 user2:0
host=hostB user1:1 user4:8
host=hostC user10:2 user21:3 user2:0 user4:0 user14:8 user15:0

The format of the user fields is always the same - "user name":"number of processes" - however, the number of users reported on each host is variable. Some hosts will only have a few, some have dozens. I'm trying to create a chart to count the number of processes per user, split by user, on a given host over time, and I'm stuck. I'm assuming I need to use the format option, but I can't get the fields to split like I need. This is what I've come up with, but it returns no results:

index=_dev host=hostB | chart format=$AGG$:$VAL$ max($VAL$) by $AGG$
Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=_dev  host=hostB | extract kvdelim="=:" pairdelim=" " | table host user* | untable host user processcount

** for your rex solution **

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?<temp>\w+:\d+)"   | table _time temp | mvexpand temp |   rex field=temp "(?<user_id>\w+):(?<proc_count>\d+)" | timechart max(proc_count) by user_id

andrewjgriffin
Engager

This rex is getting me a table like I want to see:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | table user_id proc_count

But I can't get it to chart by user_id. If I try something like:

rex max_match=0 field=_raw "(?\w+):(?\d+)" | timechart max(proc_count) by user_id

It treats all the values of proc_count as one and just returns the max of all

0 Karma

andrewjgriffin
Engager

That did it! with one slight change, I had to add _time for the timechart function to work:

index=_dev  host=hostB  | rex max_match=0 field=_raw "(?\w+:\d+)"   | table temp _time | mvexpand temp |   rex field=temp "(?\w+):(?\d+)" | timechart max(proc_count) by user_id
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...