Refine your search:

xyseries, reporting on multiple data series confusion

2

I have log entries that contain, among other things, fields called AcctID and exec_time. I have a user who wants to do, essentially:

sourcetype=statslog | timechart count, avg(exec_time) by AcctID

Since I know this to not be directly possible in 4.1, I went to the strategy laid out in http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries. My search ends up being:

host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0 
| stats count as cnt, avg(exec_time) as avgexec by AcctID 
| eval s1="count avgexec" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) | eval series=AcctID+":"+s1

And I get results as expected, like:

     AcctID cnt  avgexec     s1        series        yval 
1   7490728 23  391.826087  count   7490728:count   23
2   7490728 23  391.826087  avgexec 7490728:avgexec 391.826087
3   5459551 22  193.954545  count   5459551:count   22
4   5459551 22  193.954545  avgexec 5459551:avgexec 193.954545

But when I add the final | xyseries _time,series,yval to the search, I get "No results found"

What am I missing?

asked 18 Mar '11, 17:27

pde23's gravatar image

pde23
535
accept rate: 0%

edited 19 Mar '11, 06:57

nick's gravatar image

nick ♦
14.2k1318
One Answer:
oldestnewestmost voted
4

I just walked through the docs myself using some access data use cases and it looks to me like there are mistakes in the documentation.

The docs give this example: 

index=application_servers 
| stats sum(handledRequests) as hRs, avg(sessions) as ssns by source 
| eval s1="handledReqs sessions" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns) 
| eval series=host+":"+s1 
| xyseries _time,series,yval

The main mistake is that the stats should be by source, _time not just by source. Without a _time field coming out of the stats clause, the xyseries would indeed yield no results because there wouldnt be any _time fields at that point.

There's also a second mistake although it's minor and it doesnt seem to have tripped you up at all -- the eval series=host+":"+s1 should be eval series=source+":"+s1

I think you were following the docs perfectly, but the docs themselves got garbled at some point. It happens.

So try this: 

host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0 
| stats count as cnt, avg(exec_time) as avgexec by AcctID, _time
| eval s1="count avgexec" 
| makemv s1 | mvexpand s1 
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) 
| eval series=AcctID+":"+s1 
| xyseries _time, series, yval
link

answered 19 Mar '11, 07:10

nick's gravatar image

nick ♦
14.2k1318
accept rate: 47%

docs are fixed.

(20 Mar '11, 17:46) gkanapathy ♦

gerald's the best. =)

(21 Mar '11, 05:04) nick ♦

That's the ticket. Thanks, Doctor Nick!

(21 Mar '11, 17:08) pde23
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×210
×192

Asked: 18 Mar '11, 17:27

Seen: 661 times

Last updated: 19 Mar '11, 07:10

Related questions

Charting series data

Series Theory - or - Pie chart creation from search reporting keywords

Charting / Graphing Multiple data sources one chart

Getting "Series filtering is disabled if a split-by field is used in conjunction with multiple data" warning

Combining Multiple series

Splunk Advanced Web Reporting for the Cisco IronPort S-Series with NetApp Storage

Reporting on multiple fields

HiddenPostProcess: search and eval confusion

logging multiple metrics for time series

Copyright © 2005-2012 Splunk, Inc. All rights reserved.