Solved: Re: How to group my sample events together for a t...

schose · ‎03-12-2015

Hi all,

I'm searching for a way to treat different events as one. Example: If I'm getting events like this where every field-value pair is in one event, it's easy to deal with it:

events:

1426177481 testhost=wonderserver3 running=3 sleeping=147 zombie=2
1426177492 testhost=wonderserver1 running=4 sleeping=141 zombie=2
1426177493 testhost=wonderserver2 running=1 sleeping=146 zombie=2

target: sum all key-value pairs together over the time and create a chart:

index="temp" testhost=* | eval allprocesses=running+sleeping+zombie | timechart avg(allprocesses) by testhost

but now I'm getting events looking like this:

1426179351 thost=appserver03 object=zombie value=1
1426179352 thost=appserver03 object=sleeping value=147
1426179353 thost=appserver03 object=running value=1
1426179354 thost=appserver02 object=zombie value=1
1426179355 thost=appserver02 object=sleeping value=147
1426179356 thost=appserver02 object=running value=1

What would be a good idea to group this events together? Value is always the named "value" and the key is included in object. All they have in common is a the hostname..

Thanks four your help in advance

Andreas

schose · ‎03-18-2015

HI all,

thanks for your answers. For me the main problem was that all values was created in the field "value". It worked much better for me to extract the fieldnames using the <_KEY_1><_VAL_1> Fields. This fields extract the names of the values "dynamic" so i get fields with e.g. running=3 sleeping=105 ...

so creating a timechart is quite easy when using search | timechart avg(running) as running avg(sleeping) as sleeping

Thx and best regards,

Andreas

View solution in original post

schose · ‎03-18-2015

HI all,

thanks for your answers. For me the main problem was that all values was created in the field "value". It worked much better for me to extract the fieldnames using the <_KEY_1><_VAL_1> Fields. This fields extract the names of the values "dynamic" so i get fields with e.g. running=3 sleeping=105 ...

so creating a timechart is quite easy when using search | timechart avg(running) as running avg(sleeping) as sleeping

Thx and best regards,

Andreas

ppablo · ‎03-17-2015

Hi @schose

Just following up with this post, but did either of the 3 responses you got here solve your question? If yes, please be sure to resolve this post by accepting the one that worked best for your case. Thanks!

tachifelix · ‎03-17-2015

try something like this:

index="temp" testhost=*  |bucket span=1d _time |eval allprocess=runing+sleeping+zombie |timechart avg(allprocess)

change the span as you need

dcharb78 · ‎03-12-2015

Quick way to group them:

index=test sourcetype="answers" | transaction maxspan=5s thost

Assuming the whatever is polling them is doing it serially and there is a max span of 5 seconds.

somesoni2 · ‎03-12-2015

You can try something like this but you would have to specify the timechart span (in bucket command). This example does it for a day.

index="temp" testhost=*  |bucket span=1d _time | stats sum(value) as value by _time, testhost | timechart avg(value) by testhost

How to group my sample events together for a timechart?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases