Reputation: 809
Splunk create chart of value of one field ordered by another
I have my example log line of:
<158>Mar 31 16:33:09 :[ 31-03-2015 16:33:09.823 ] [ pool-17-thread-9;itemId=1234567 ] [ INFO ] [ ItemManager ] - itemType=file:import completed with status=COMPLETE, executionTime=30 (sec), queuedTime=0 (sec), throttledTime=0 (sec), [FileImport(1234567) id=1234567 status=COMPLETE statusText= createdDate=2015-03-31T16:30:30.000Z scheduledDate=2015-03-31T16:30:30.000Z restartDate= startDate=2015-03-31T16:30:30.670Z lastUpdate=2015-03-31T16:33:09.513Z endDate=2015-03-31 serverId=foo.com:1]
What I want to do is create a bar/column graph of the executionTime for each itemId (which are unique) whose status=COMPLETE and itemType=file:import. (bonus would be cool to also add the serverId associated with the itemId)
So Y-Axis would be the executionTime (s) X-Axis would be per itemId (with the bonus of itemId/serverId)
I've tried itemType=file:import AND status=COMPLETE but don't know what to pipe in to get the axis and data correct.
Thanks! It's probably super easy but I've only done queries really, never tried charting.
Upvotes: 0
Views: 1761
Answers (1)
Reputation: 7349
Assuming that field extraction is being done correctly. You are likely looking for the chart command.
itemType=file:import status=COMPLETE
| chart sum(executionTime) as executionTime over itemId
For your initial one. Splunk may be smart enough, but you may need to strip all non digits from executionTime (e.g. 30 instead of 30 (sec)). If so, one way to do this could be to use the rex command.
itemType=file:import status=COMPLETE
| rex field=executionTime mode=sed "s/\D+//g"
| chart sum(executionTime) as executionTime over itemId
Now let's discuss your "serverId associated with the itemId" do itemIds correlate across servers, and you want to see a series for each server across all itemIds? If so:
itemType=file:import status=COMPLETE
| rex field=executionTime mode=sed "s/\D+//g"
| chart sum(executionTime) over itemId by serverId
You could have the xaxis be the serverID and the series be the itemId through reversing the over and by clauses. Depending on how many items / servers you have, in this case you'll want to play with the limit= argument to the stats command.
But what if you just wanted each server / item pair as its own xaxis value. Then we would use eval to build our xAxis values prior to charting... possibly like so:
itemType=file:import status=COMPLETE
| rex field=executionTime mode=sed "s/\D+//g"
| eval serverItem = serverId . "x" . itemId
| chart sum(executionTime) as executionTime over serverItem
(obviously you are in full control of the format of your key value, so if you want itemId first, or a different separator that's up to you.)
Upvotes: 1
Related Questions
- Splunk - display top values for only certain fields
- Splunk charts series with multiple sections
- Splunk: Combining multiple chart queries to get a single table
- Sorting the splunk timechart table with the values in descending order based on a row's values in the timechart table
- How Can I Generate A Visualisation with Multiple Data Series In Splunk
- Splunk two SourceTypes same columns into multiline chart with 2 axis
- SPLUNK multi-value chart
- bar chart based on field values
- How can one create a chart / report in Splunk which has many series? Is it possible?
- Splunk - chart 2 time periods on 1 report