Splunk Search

Getting a chart out of timechart

teichhorn
New Member

Hi,

I have a set of log data which are sent to the splunk, they contain some temperature date of some sensors - to get some nice list I used the following search:

source="envmon" | timechart list(bathtemp) list(balconytemp) list(kitchentemp) list(livingtemp) list(officetemp) list(sleepingtemp) cont=f

That works very well and gives me the following output:

alt text

But when switching to chart, the chart itself looks like this:

alt text

I believe I overlook something very obvious to get a nice line chart over time,
and I hope someone here has some clue for me...

Thanks,
Tom

Tags (2)
0 Karma

Ayn
Legend

list produces a list for a certain field. If there are multiple values in that list, timechart would have no way of knowing what to do with that, so it doesn't make sense for timechart to accept values from a list.

What is the reason for using list, and in what cases does it produce multiple results? If I were to go about this I would want two fields (apart from the timestamp): one for the temperature, and one for the location. In an example, let's call them temperature and location.

Now, some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 temperature readings from a certain sensor occurring in the index within 1 minute. Splunk needs to know how to give you ONE value for "temperature", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg:

... | timechart span=1m avg(temperature) as Temperature

Or, if you only want the values from the first of the events within the time period, use first instead of avg. Want the sum? Use sum. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

To make it do this split by location, just add a by directive at the end of the timechart command:

... | timechart span=1m avg(temperature) as Temperature by location

Ayn
Legend

Ok, so instead of splitting by a general time field, just do

... | timechart avg(bathtemp),avg(balconytemp) ...

You could also just use table if you want:

... | table _time bathtemp balconytemp ...

Both these should produce output that is consumable by the chart module.

teichhorn
New Member

Well, the problem is that location is not a field itself, but the field name - the input looks like: bathtemp="19,9";balconytemp="21,8";livingtemp="20,5";sleepingtemp="20,4";kitchentemp="20,4";officetemp="21,1";bathhydro="54";balconyhydro="54";livinghydro="52";sleepinghydro="57";kitchenhydro="54";officehydro="50"

Maybe I'm just a little bit stuck with some concept of splunk..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...