hello,
i have this raw table:
1 2 3 4 5 6 7 8 9 10
0 0 0 0 0 0 0 0 0 0
502 497 496 496 497 500 499 499 498 497
0 0 0 0 0 0 0 0 0 0
496 491 493 492 493 497 496 497 497 492
496 488 492 491 490 496 495 497 496 491
506 502 502 501 504 506 504 504 503 501
496 490 490 490 491 495 493 494 494 491
549 541 542 541 542 547 547 548 547 542
the first line indicates second, the other lines indicate unique tester with his result for each second.
how can i create a chart that contains for the 8 testers the timeline with the value of each second?
thank you
This puts your data in, as you have presented it...
| makeresults
| eval _raw=" 1 2 3 4 5 6 7 8 9 10
0 0 0 0 0 0 0 0 0 0
502 497 496 496 497 500 499 499 498 497
0 0 0 0 0 0 0 0 0 0
496 491 493 492 493 497 496 497 497 492
496 488 492 491 490 496 495 497 496 491
506 502 502 501 504 506 504 504 503 501
496 490 490 490 491 495 493 494 494 491
549 541 542 541 542 547 547 548 547 542"
This turns it into data fields called Tester_01 thru Tester_10, then assigns one-second increments to the different readings. The actual _time
used is completely arbitrary in this version.
| multikv noheader=true
| rename Column_* as Tester_0* | rename Tester_010 as Tester_10
| streamstats count | eval _time = _time + count | table _time Tester*
Now we turn it into one result
record per tester
per _time
unit, and then timechart
the results...
| Untable _time tester result
| timechart span=1s sum(result) by tester
Your data basically all land on top of one another, so there's not a lot to see in the result graph, but it works.
Is that how the data is in Splunk? What are the events - do you have one event for the first line, another for the second and so on? Or is the output above from a lot of manual search work? Or is this in Excel?
Mainly I ask because you may find it a lot easier to revise the original data into a different structure.
the data from excel, so Splunk took the first row (the seconds) as columns name.