Splunk Search

Create Scatter Diagram That Show Data Fall Within Average Range

qygoh
Engager

Hi all, i try to create a scatter diagram that will show idea range of values and how many fall within it. I try use timechart but it seem like didn't work. I tried few different way already it still fail. Code below show below is the code using for extract result(show by red colour arrow in picture).

   Customer="xyz" ID=yvalue |timechart span=1m avg(Value) as yvalue 
  |appendcols [search Customer="xyz" ID=xvalue |timechart span=1m avg(Value) as xvalue] 
  |table xvalue, yvalue

And i need 1 more coding for draw the result acceptable range as show at the image below:

alt text

And i wish to display the rage of it as show by black colour error in the picture. Mind to share with me how should i achieve it. Thank you very much.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Helping with this one will require us to understand more about the underlying data.

We have literally no idea what kind of values of yvalue might be acceptable for any given xvalue.

I did notice that you aren't really using _time for anything, so don't use timechart, just use stats. Also, just in case your files ever get big, you might run into problems with the maximum record limits of a subsearch on your | append. You can make them part of the regular search, and that problem will never occur. And, you should always tell splunk what index(es) you want to look at.

index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
| bin _time span=1m
| xvalue=if(ID=xvalue,Value,null())
| yvalue=if(ID=yvalue,Value,null())
| stats avg(xvalue) as xvalue, avg(yvalue) as yvalue by Customer _time
| table xvalue yvalue

If there is some relationship between the xvalues and yvalues, then code like this might help you figure out what it is

| bin bins=10  xvalue as xbin
| bin bins=10  yvalue as ybin
| chart count over xbin by ybin

...or...

| bin bins=10  xvalue as xbin
| rex mode=sed field=xbin "s/-\d+$//g"
| eval xbin=tonumber(xbin)
| stats 
    avg(yvalue) as yavg, stdev(yvalue) as ystdev,  sum(yvalue) as yweight,
    perc10(yvalue) as y10, perc90(yvalue) as y90, count as ycount  
    by xbin 
| eval series ="by xbin"
| xyseries xbin series yavg ystdev y10 y90 ycount
0 Karma

qygoh
Engager

Hi Dal, thank you very much for your response. when i replace my code with

  index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
 | bin _time span=1m
 | xvalue=if(ID=xvalue,Value,null())
 | yvalue=if(ID=yvalue,Value,null())

it didn't work. I got an error message: Unknown search command 'xvalue'. Would you mind to share with me how to resolve it? Thank you very much

0 Karma

qygoh
Engager

I found it need to add "Eval" in front of it.

0 Karma

qygoh
Engager

For your information acceptable range show by black colour arrows is theoretical value calculated. Meanwhile value show by red colour arrow is value we get for experiment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...