Splunk Search

How to group by a multivalue field within a group visualization?

tjago11
Communicator

I'm able to get the data I'm looking for on the stats tab, but because there are multiple values for one of the columns the visualizer can't draw a pretty line.

At a high level I'm trying to link up server level metrics with process level metrics on the same report.

ApplicationName="myApp"
host="myServer"
(
  (eventtype="perfmon_windows" object="Network Interface" counter="Bytes Total/sec")
  OR
  (eventtype="perfmon_windows" object="Process" counter="Private Bytes" instance="w3wp*")
  OR
  (sourcetype=iis OR sourcetype=null())
)
| eval multipleValues = if(counter=="Private Bytes", Value, null())
| eval networkUtilizationValue = if(counter=="Bytes Total/sec", Value/1024, null())
| bucket _time span=1m
| chart count(eval(like(sourcetype, "iis"))) as transCount
  , values(multipleValues) as theFieldWithAnIssue
  , values(networkUtilizationValue) as networkUtilization
  by _time

I'm getting data, but there are multiple values for the second field. The field is groupable by "instance" but I don't know where to add this group by. I can average the fields but I really want them grouped by the "instance".

Sample data:
Time..............................transCount.......theFieldWithAnIssue........networkUtilization
2017-05-11 20:55:00....123...................123..................................123
..............................................................456
..............................................................789

Thanks.

0 Karma

woodcock
Esteemed Legend

You can use mvexpand or just break it out along the way like this:

... | stats count(eval(like(sourcetype, "iis"))) as transCount by _time multipleValues networkUtilizationValue
0 Karma

tjago11
Communicator

I don't want the transcount by the other fields, I want it to be the total transcount for the whole server and only break the "multipleValues" field out by instance.

0 Karma

woodcock
Esteemed Legend

What do you mean "for the whole server"; you do not have a field called server or anything remotely like it (e.g. host).

0 Karma

cmerriman
Super Champion

can you add an |mvexpand theFieldWithAnIssue at the end?
or is it that you're looking to add another by command?

...| stats count(eval(like(sourcetype, "iis"))) as transCount
, values(multipleValues) as theFieldWithAnIssue
, values(networkUtilizationValue) as networkUtilization
by _time instance 
0 Karma

tjago11
Communicator

Hmmm, I think this is getting closer.

Tried the mvexpand and it fixed the issue of the visualization, but it still has the values across all the "instance" groups in one field. Ideally it would be grouped by the instance.

Tried adding the instance to the "by" and it is grouping all the fields by instance now, but I really only want the single field grouped by the instance.

In a perfect world it would be something like:

| chart count(eval(like(sourcetype, "iis"))) as transCount
  , values(value1) as valueToCheck by instance
  , values(networkUtilizationValue) as networkUtilization
  by _time

I did figure out that I can fix the issue by adding eval statements for each instance...but that is tedious and boring. Thanks.

0 Karma

cmerriman
Super Champion

could you try to do something like:

|eval instanceValue=instance+" - "+value1
|chart count(eval(like(sourcetype, "iis"))) as transCount values(instanceValue) as valueToCheck values(networkUtilizationValue) as networkUtilization by _time
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...