Solved: Timechart multiple events by a field

nirt · ‎03-04-2013

Hi,
I have multiple events that I wish to timechart the top 20, the events look like this:

s.d.r.rrm.0.TIME.Range[1,2].hod.-1.number = 100

s.d.r.rrm.500.TIME.Range[1,2].hod.-1.number = 300

s.d.r.rrm.300.TIME.Range[1,2].hod.-1.number = 500

total of around 200+ of those.

I want to create a timechart of the top 20 results using a by of the 4th field(0,500,300) so I will have a timechart of 20 lines based on the 4th field

if i do a search with s.d.r.rrm.*.TIME.Range[1,2].hod.-1.number then I see my search bringing back all the results which is good but top doesn't work and using timechart max(*number) doesn't work either

Thanks in advance

lguinn2 · ‎03-06-2013

I am starting an entirely new answer thread, as so much more information has been shared - the old answer no longer makes sense. Try this, and see if it is closer to the information that you want.

"s.d.r.rrm.*.TIME.Range[*].hod.-1.number"
| rex "s\.d\.r\.rrm\.(?<country>.*?)\.TIME\.Range\[?<timeRange>\d+\,"
| search [ search "s.d.r.rrm.*.TIME.Range[*].hod.-1.number"
    | rex "s\.d\.r\.rrm\.(?<country>.*?)\."
    | stats sum(number) as Total by country 
    | sort -Total
    | return 20 country ]
| chart sum(number) as TotalCount by timeRange country

The subsearch identifies the top 20 countries and returns the list to the main search. The main search then filters so that only those countries remain.

You cannot have a timechart with multiple fields in the "by" clause, so I have used chart instead. The timeRange field represents only the first integer in the time range.

View solution in original post

lguinn2 · ‎03-06-2013

I am starting an entirely new answer thread, as so much more information has been shared - the old answer no longer makes sense. Try this, and see if it is closer to the information that you want.

"s.d.r.rrm.*.TIME.Range[*].hod.-1.number"
| rex "s\.d\.r\.rrm\.(?<country>.*?)\.TIME\.Range\[?<timeRange>\d+\,"
| search [ search "s.d.r.rrm.*.TIME.Range[*].hod.-1.number"
    | rex "s\.d\.r\.rrm\.(?<country>.*?)\."
    | stats sum(number) as Total by country 
    | sort -Total
    | return 20 country ]
| chart sum(number) as TotalCount by timeRange country

The subsearch identifies the top 20 countries and returns the list to the main search. The main search then filters so that only those countries remain.

You cannot have a timechart with multiple fields in the "by" clause, so I have used chart instead. The timeRange field represents only the first integer in the time range.

nirt · ‎03-06-2013

This is much better!, however a few issues:
1. the first rex did not work so i changed it to:
rex "s.d.r.rrm.(?.?).TIME.(?.?).
2. For some reason in each timerange i see a country called 'OTHER' and 'VALUE'
3. if i manually try to find those countries by running search:
"s.d.r.rrm.OTHER.TIME.Range[*].hod.-1.number" , it finds no results - so it doesn't exist. Splunk adds this manually?

Other than that - AMAZING!
Thanks!!!

lguinn2 · ‎03-04-2013

Do you actually have a field for the fourth element? What is its name? If you don't have a field defined, then you can't do top or timechart on it.

This might work, if you don't have a field:

s.d.r.rrm.*.TIME.Range[1,2].hod.-1.number
| rex "s\.d\.r\.rrm\.(?<myfield>.*?)\."
| top myfield

or

s.d.r.rrm.*.TIME.Range[1,2].hod.-1.number
| rex "s\.d\.r\.rrm\.(?<myfield>.*?)\."
| stats count by myfield
| sort -count

etc.

Adding additional reporting based on comments below...

s.d.r.rrm.*.TIME.Range[1,2].hod.-1.number
| rex "s\.d\.r\.rrm\.(?<country>.*?)\."
| timechart span=1h limit=20 useother=f usenull=f count by country

nirt · ‎03-05-2013

Thanks, I keep seeing that I forgot to give all the picture.
Besides the country parameter I also have TimeRange parameters
so:
s.d.r.rrm.*.TIME.Range[1,2].hod.-1.number

and
s.d.r.rrm.*.TIME.Range[3,4].hod.-1.number

To make it easier I will make it span=1d instead of 1h to ease the view as daily check is good enough
However I need to split by country and range... meaning the count of number of country is per range
so country 1 has 2-3 ranges, each range has it's own number

Thanks again and sorry that i missed this

nirt · ‎03-05-2013

i'll try to rephrase the question.
How can I take all the data - and do top on the avg of all the data BY myfield and then do timechart on that?

nirt · ‎03-04-2013

i sort the data per event(each event is different country) and i want to see the top events(in the sum of a day)
could be what i want to do is over-kill and maybe it's better to show a bar chart of the total amount every day(data is taken every hour) and then will it be possible to perform top 20 on that bar timechart?

lguinn2 · ‎03-04-2013

The line chart is fine, I just didn't understand how you want to sort things.

nirt · ‎03-04-2013

I want to see the data in timeframe(1 day or maybe 1 week), the data is per country so i want to see the top results as i don't care about countries with low amount of values and line chart seemed like the best way to do it to see the data and easiest to understand it but perhaps i'm wrong?

lguinn2 · ‎03-04-2013

Timechart does not sort by the field, as it orders the data by time. What exactly are you trying to sort? Are you certain that the timechart command is the best way to express your results?

nirt · ‎03-04-2013

Thanks, I took the rex you provided and that have created my field(as it did not have one in the past),I've added afterwards timechart and it seems to be looking better!
my query looks as following now:
s.d.r.rrm..TIME.Range[1,2].hod.-1.number
| rex "s.d.r.rrm.(?.?)." | timechart span=1h per_hour(number) BY myfield
As i have 3 hosts that give me this information i need to aggregate them and do the timechart based on that(using per_hour)
however I do notice that it does not sort it, and adding the sort command before doesn't help as it does sort count events.any idea how to fix?

Timechart multiple events by a field

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk