Splunk Search

How to chart with multiple hour fields from 0h to 24h?

jrich523
Path Finder

I have some performance data that is for the most part, fairly standard, such as SystemName, Metric (cpu, memory, whatever), counter type (percent, kbs, the unit basically), and then I have field 0h to 24h, which is the value on the hour.

I'd like to show, for example, the memory percent as a line chart, but I'm unsure how to tell Splunk to pull the data from the hour fields.

Sample Data:

Workload Name, Counter Name, Counter Metric,Rollup Type,    0h, 1h, 2h, 3h
SYSTEM1234, Read workload metric, number, max, 77, 141, 254, 190

this only shows hours 0 to 3, there are 24 of those fields.

So what i'd like to see is a line chart, where the X axis has the 0h, 1h, 2h all the way to 24h and the Y is retaliative to the values (in this case, 77-254)

Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type,  0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | table hour Metric value

OR

   your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type,  0h, 1h, 2h, 3h...
    | eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | chart values(value) over hour by Metric

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type,  0h, 1h, 2h, 3h...
| eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | table hour Metric value

OR

   your base search giving your fields Workload Name, Counter Name, Counter Metric,Rollup Type,  0h, 1h, 2h, 3h...
    | eval Metric='Workload Name'.":".'Counter Name'.":".'Counter Metric'.":".'Rollup Type' | fields - "Workload Name" "Counter Name" "Counter Metric" "Rollup Type" | untable Metric hour value | chart values(value) over hour by Metric

jrich523
Path Finder

Its still a little weird (seems like there is duplicate data perhaps?) but i was able to get that working. thanks! I'll have to go read up on untable, it seems to be the real magic here

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you post a sample event and desired output ?

0 Karma

woodcock
Esteemed Legend

Like this:

Your Base Search Here | eval _time=YourHourFieldHere | rex field=_time mode=sed "s/[hH]$//" | eval _time=_time * 60 * 60 | fieldformat _time = strftime(_time, "%H") | timechart span=1h avg(*) AS * BY host

jrich523
Path Finder

I'm not sure I follow, where you have the YourHourFieldHere, that's one field, I have 24 fields related to time, h0, h1,h2 all the way to h24

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...