Solved: Creating Stack-able graphs for 2 fields

bharpur183 · ‎10-11-2016

These are my events :
Based on the below info I want to crate a stackable bar graph that shows 2 errors "luchip" and "xmchip" in different colors

10/11/16

7:13:37.000 AM

2016/10/11 07:13:37| 2767| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:37 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **xmchip*(0): li0: received a parcel from the hsl2 interface with eope

10/11/16
7:13:32.000 AM

2016/10/11 07:13:32| 2766| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:32 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(*0) ppe_12 errors lmem data error 0x0000026c

10/7/16
2:49:35.000 PM

2016/10/07 14:49:35| 2902| 2672| 20711| DCNETWORK| DCNETWORK| PNYOD2-J2|14:49:34 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnyod2-j2-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(5) ppe_4 errors lmem data error 0x00000127

10/6/16
10:07:26.000 AM
*2016/10/06 10:07:26| 6713| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:26 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 **xmchip(*1): wo1: packet error - error packets 1, stream 29

10/6/16
10:07:21.000 AM
*2016/10/06 10:07:21| 6709| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:21 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 cadg7441: xmchip(1): ddrif: checksum error for wo1 - channel 6, address 0x4a040, checksum errors 1, checksum poison count 0

sundareshr · ‎10-11-2016

Try this

base search | rex "(?<err_type>xmchip|luchip)" | timechart count by err_type

*UPDATED*

base search | rex "(?<err_type>xmchip|luchip)" | chart count over netdevice by err_type

View solution in original post

gokadroid · ‎10-11-2016

Assuming that "dc-core: almn-core-wp:" always appear before fpcN (xmchip OR luchip) and timestamps are present for indexed data then you can try below:

Take care to remove the space in the tags < fpc> and < chipType> before running the below command



yourBaseSearchToGetAllAboveLogs

| rex field=_raw ".dc-core: almn-core-wp:\s+(?< fpc>[^\s]+)\s?(?< chipType>[^\s\(]+)"

|timechart count by chipType

Next:
Choose the visualization option of barchart.
The bars for luchip and xmchip will appear next to each other in different color.
On clicking the paintbrush icon of "Format" choose the "stacked" option for barchart if you want bars to be stacked one on top of other.
If you do not stack then bars will be next to each other but still in different colour too.

Note: Only the chip name (xmchip or luchip) is extracted by regex. I have ignored the * and the "(number)" from the chip name. (But that can be extracted too)

sundareshr · ‎10-11-2016

Try this

base search | rex "(?<err_type>xmchip|luchip)" | timechart count by err_type

*UPDATED*

base search | rex "(?<err_type>xmchip|luchip)" | chart count over netdevice by err_type

bharpur183 · ‎10-12-2016

Thanks .

But the issue now is "if I use the above logic , it creates the stackable graph , but it removes the names of the devices (netdevice) . If I use the names then the graph does not shwo up as stacked for both xmchip and luchip

sundareshr · ‎10-12-2016

Try chart instead of timechart. See updated answer

bharpur183 · ‎10-12-2016

That worked.
Thanks a lot.

Creating Stack-able graphs for 2 fields

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!