- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- 3 dimension chart--can this be done?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 dimension chart--can this be done?
I have a saved search that pipes to a chart with both an "over" and "by". Ideally, I'd like for this to go into a 3rd dimension of "time".
source=*mysource.log | chart count by field1 over field2
I end up with a group of rows with the various values for field1 on the left hand column and the various values of field2 at the top row. I'd ideally like to have these little groupings broken out by hours so that I can see that field1_value1 had a count of 9 field2_value1 at noon.
Is this possible?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, this isn't the answer you're looking for, but it's definitely fun and it might give you a way forward so here goes.
You can do some very peculiar things in a custom view using the Sideview Multiplexer module. The simplest use of Multiplexer is to give it a single HTML module, and it will then create one clone of that HTML module for each value of a given field that it sees in the search result. This becomes an open-ended 'results renderer'. However you can also give Multiplexer a bunch of modules, and one or more of those can be a JSChart module. In such a case it will create a clone of that "bunch" of modules, one cloned bunch for each value of a given field that it sees in the search result.
Skipping ahead, this means that you can create a timechart count by field1, and then create one of those for every value of field2. Multiplexer works with the Pager module, so you can throw page-links up there if cramming them all on one page isn't feasible.
So you get a big dynamic series of different 2-dimensional charts. in a way, this is sort of the same thing as charting in 3 dimensions. 😉
Anyway, here's a working example against some internal data. This example looks at all the REST traffic to splunkd, does a timechart count by status, and then does one of those charts for every value of "file".
<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
<param name="search">index=_internal sourcetype=splunkd_access NOT "/services/search/jobs" | bin _time span="1h" | stats sum(bytes) as bytes by status file _time</param>
<param name="earliest">-24h</param>
<param name="latest">now</param>
<module name="JobProgressIndicator" />
<module name="HiddenChartFormatter">
<param name="charting.chart">line</param>
<param name="charting.chart.nullValueMode">zero</param>
<param name="charting.legend.placement">right</param>
<param name="charting.axisTitleX.visibility">collapsed</param>
<module name="PostProcess">
<param name="search">dedup file | sort file</param>
<module name="Pager">
<param name="count">5</param>
<module name="Multiplexer">
<param name="field">file</param>
<module name="PostProcess">
<param name="search">search file="$file$" | timechart span="1h" sum(bytes) as bytes by status</param>
<module name="HTML">
<param name="html"><![CDATA[
<h2>$file$</h2>
]]></param>
</module>
<module name="JSChart">
<param name="height">150px</param>
<param name="width">100%</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
Your mileage may vary. Like I said it may not be what you're looking for, but at least it's fun. Also note that you'll need the latest Sideview Utils from the Sideview Site to get the Multiplexer module. Latest is 2.3, and the version on Splunkbase is only 1.3.5. http://sideviewapps.com/apps/sideview-utils
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple ways to go about this:
1) Use the bucket command to get your time ranges instead of a time chart:
| bucket _time span=1h | stats count by _time field1 field2
2) join your two distinct fields into a single value you can timechart over
| eval combined_field=field1 + "_" + field2 | timechart count by combined_field
Both get you the data you want, just in different formats. Try them both and see what works best for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technically no. But you can fake it. You make a third field that's a combination of field1 and field2. In my example, I wanted each host and status code to have its own series, so I ran
sourcetype=access_combined| eval host_status = host + "_" + status | timechart count by host_status
And that gives me a line for each host/status code combo complete with a count over time.
Much Thanks to emiller43 for the tip!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe so. I asked a similar question in the #splunk irc channel and I don't think we can do 3d. I had wanted to do syslog processes by host over time.
Instead I just created multiple charts with defined timeframes
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
