Hi,
I have a set of log data which are sent to the splunk, they contain some temperature date of some sensors - to get some nice list I used the following search:
source="envmon" | timechart list(bathtemp) list(balconytemp) list(kitchentemp) list(livingtemp) list(officetemp) list(sleepingtemp) cont=f
That works very well and gives me the following output:
But when switching to chart, the chart itself looks like this:
I believe I overlook something very obvious to get a nice line chart over time,
and I hope someone here has some clue for me...
Thanks,
Tom
list
produces a list for a certain field. If there are multiple values in that list, timechart
would have no way of knowing what to do with that, so it doesn't make sense for timechart
to accept values from a list.
What is the reason for using list
, and in what cases does it produce multiple results? If I were to go about this I would want two fields (apart from the timestamp): one for the temperature, and one for the location. In an example, let's call them temperature
and location
.
Now, some explanation on how timechart
behaves: timechart
needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 temperature readings from a certain sensor occurring in the index within 1 minute. Splunk needs to know how to give you ONE value for "temperature", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg:
... | timechart span=1m avg(temperature) as Temperature
Or, if you only want the values from the first of the events within the time period, use first
instead of avg
. Want the sum? Use sum
. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
To make it do this split by location, just add a by
directive at the end of the timechart
command:
... | timechart span=1m avg(temperature) as Temperature by location
Ok, so instead of splitting by a general time field, just do
... | timechart avg(bathtemp),avg(balconytemp) ...
You could also just use table
if you want:
... | table _time bathtemp balconytemp ...
Both these should produce output that is consumable by the chart module.
Well, the problem is that location is not a field itself, but the field name - the input looks like: bathtemp="19,9";balconytemp="21,8";livingtemp="20,5";sleepingtemp="20,4";kitchentemp="20,4";officetemp="21,1";bathhydro="54";balconyhydro="54";livinghydro="52";sleepinghydro="57";kitchenhydro="54";officehydro="50"
Maybe I'm just a little bit stuck with some concept of splunk..