Splunk Search

stats values on x-axis and y-axis

nagaraju_chitta
Path Finder
basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| table totaltime,duration
| stats or timechart or chart would like to populate totaltime in x-axis and duration in y-axis

would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis . Some how I am using stats and I am getting the values and unable to see the graph.attached is the statistics table image from my search

sample data:
28820.220: [Full GC (System.gc()) 8832K->8624K(37888K), 0.0261704 secs]
29372.500: [Full GC (Allocation Failure) 23984K->8816K(37888K), 0.0013546 secs]
29932.500: [Full GC (Allocation Failure) 24176K->8808K(37888K), 0.0017082 secs]
30492.500: [Full GC (Allocation Failure) 24168K->8960K(37888K), 0.0017122 secs]
31047.500: [Full GC (Allocation Failure) 24320K->8944K(37888K), 0.0020634 secs]
31602.500: [Full GC (Allocation Failure) 24304K->8992K(37888K), 0.0017542 secs]
32157.500: [Full GC (Allocation Failure) 24352K->8968K(37888K), 0.0018971 secs]
32420.247: [Full GC (System.gc()) 16160K->8944K(37888K), 0.0012816 secs]
8186.000: [Full GC (Allocation Failure) 91332K->36212K(246272K), 0.0081127 secs]
8347.676: [Full GC (System.gc()) 42225K->35996K(246272K), 0.0040077 secs]
8347.678: [Full GC (System.gc()) 35996K->21313K(246272K), 0.1147433 secs]
8929.342: [Full GC (Allocation Failure) 76609K->24356K(246784K), 0.0047687 secs]
8952.577: [GC (Allocation Failure) 80164K->29098K(246272K), 0.0053928 secs]
9921.694: [Full GC (Allocation Failure) 84906K->27626K(247808K), 0.0053474 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma
1 Solution

niketn
Legend

@nagaraju_chittathuru, try the following. Since your data is multivalued it can not be plotted on a chart.
Assuming each totaltime is mapped one-to-one with a duration, you can use mvzip() to stitch two multivalued fields and then use mvexpand followed by split() to get single valued field in table.

 basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| eval data=mvzip(totaltime, duration)
| mvexpand data
| eval data=split(data,",")
| eval totaltime=mvindex(data,0)
| eval duration=mvindex(data,1)
| table totaltime duration

Looking at your data seems like you are doing something wrong in event breaking and event timestamp recognition. Please reevaluate the same as it is better to identify correct events breaking and timestamp while indexing rather than during search time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @nagaruju_chittathuru, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

nagaraju_chitta
Path Finder

@Ifedak: its my pleasure to accept for such a kind of help from the community.Infact was discussing the answer further that's where I was waiting to accept.now accepted and thanks for reminder 🙂

0 Karma

niketn
Legend

How many lines maximum can each file have? If this is not huge and performance of your regular Expression and multi-value field handling commands is under expected norms then you can ignore splitting of events upfront and live with what you currently have.

Anyways your events will have File Built Time as its event timestamp (i.e. _time), so if you plan for event timestamp recognition and event breaking, all you need to do is to set theSHOULD_LINEMERGE option to false in props.conf for your sourcetype. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Setsourcetype

You should also read about whether the type of data from the type of system you have already have default sourcetype, Splunk add on or Splunk App available or not. Sorry but I am not aware of JVMs, but someone else might be able to help based on the Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE snippet that you have provided.

alt text

[ your_jvm_sourcetype]
SHOULD_LINEMERGE=false
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@nagaraju_chittathuru, try the following. Since your data is multivalued it can not be plotted on a chart.
Assuming each totaltime is mapped one-to-one with a duration, you can use mvzip() to stitch two multivalued fields and then use mvexpand followed by split() to get single valued field in table.

 basesearch 
| rex "(?m)^(?<totaltime>[^:]+):\s+\[\s+(?<field1>\d+)K-\>(?<field2>\d+)K\((?<field3>\d+)K\),\s+(?<duration>[^\s]+)\ssecs\]" 
| eval data=mvzip(totaltime, duration)
| mvexpand data
| eval data=split(data,",")
| eval totaltime=mvindex(data,0)
| eval duration=mvindex(data,1)
| table totaltime duration

Looking at your data seems like you are doing something wrong in event breaking and event timestamp recognition. Please reevaluate the same as it is better to identify correct events breaking and timestamp while indexing rather than during search time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nagaraju_chitta
Path Finder

@niketn: This works fine. Quick question on the event split. below is the data it flows to splunk as one file.somehow splunk is splitting the whole file as one event. Is this below sample data supposed to split as 6 events?please clarify

Java HotSpot(TM) 64-Bit Server VM (25.141-b15) for linux-amd64 JRE (1.8.0_141-b15), built on Sep 11 2017 03:25:22 by "java_re" with gcc 4.3.0 20080428
Memory: 4k page, physical 132155544k(50054816k free), swap 33553404k(33517360k free)
4.493: [Full GC (System.gc()) 671129K->61731K(32156672K), 0.1042161 secs]
4.597: [Full GC (System.gc()) 61731K->60858K(32156672K), 0.2231717 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]

0 Karma

nagaraju_chitta
Path Finder

alt text

alt text

attachment for the post

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...