I am new to splunk reports, I am trying to achieve the following:
I want to generate splunk logs report (graphical) for API performances with execution time on x-axis and method names on y-axis. I am trying to run following query:
cs_dataowner_id="ICTO-31263" cs_stage = UAT
| search cs_component_id="icomply-gpat-api-buslogs"
| search Action=API_PERFORMANCE
| table Message Execution_Time
| sort by Execution_Time desc
Expected line graph should show a single line for each method (API) expanding with time on x axis hence number of lines on y-axis should be equal to number of apis/methods called in that time range.
Current output: A single line on y axis for all the methods (here I have 2 apis).
I tried all the formatting options but nothing worked.
Screenshot:
Instead of piped search commands, do it all on the first line:
cs_dataowner_id="ICTO-31263" cs_stage=UAT cs_component_id="icomply-gpat-api-buslogs" Action=API_PERFORMANCE
Instead of the sort and table commands, use chart:
| chart count(Message) as Messages over Execution_Time by Message
This command graphs the number of calls to each API with Execution_Time on the X-axis and separate lines for each API (Message).
Related
I am currently using cloudwatch insights to plot a bar graph on dashboard by querying cloudwatch logs. The log data (which now will become label) is a bit sensitive to be shown up on the dashboard, however while plotting the bar graph continues to show the label.
Here's the insight query that I'm using.
filter #message like /Request class .* student /
| parse #message /Request class (?<classId>\S+) student (?<studentId>\S+)/
| stats count(*) as students, count_distinct(class) as classes by studentId
| sort students desc
| limit 20
Here studentId is something we don't want to show up on the graph.
I'm looking for either
Is there a way to hide or obfuscate the label in the dashboard?
If not, can we try modifying the insights query to help obfuscate the same ?
According to Splunk, | mcatalog values(_value) WHERE index=index-name is not allowed. Is there another way to view _value's for all the requests sent without using mcatalog?
P.S. i've looked into mstats but it only offers max, min, sum, etc...
If the metric you're looking for has a minute frequency you can use latest(_value) with mstats and a span of 1 minute. You will get the raw value recorded by that minute measurement.
| mstats latest(_value)
WHERE index=em_metrics metric_name="*" span=1m
BY metric_name
Notice how the raw value changes every minute:
If this fixes your problem, take a moment to accept the answer. This can be done by clicking on the check mark beside the answer to toggle it from greyed out to filled in!
This should be simple but it's just not working. I have a list of records that I want to display in the terminal without anything besides the list of record keys. No Headers, page gaps, etc. The problem is I can't get rid of the page gaps that keep chopping up my list.
SORT INVENTORY HDR.SUPP COL.HDR.SUPP NO.PAGE NO.SPLIT COUNT.SUP
You need to change your TERM settings, ignore the 'type' option.
Increase the TERM 'B' (HELP TERM) to the total number of records you are returning.
For example if the report contains 100 records, you enter:
: TERM [to get default settings]
: TERM 80,100,132,60
: run LIST/SORT
: TERM A,B,C,D [ use values from first TERM ]
You need to run the term command prior to running your select.
Just in case you're trying to get this list of bare keys so you can copy/paste it somewhere else (like Excel), I'll throw out another option that may be helpful and save some scrolling:
:sort INVENTORY TO DELIM 9 /tmp/inventory.txt
Will run your command and dump the output (tab-delimited, though that's irrelevant with only one field) to a file in the tmp directory.
:UDT.OPTIONS 91 ON
Is helpful if you're dumping dates, numbers or anything that needs output formatting.
UDT Options Command reference describes that:
UDT.OPTIONS 91 U_LIST_TO_CONV
affects saved queries on
data that is defined in the dictionary with a conversion code. For
example, when a date is defined as D4, the internal date is 9611,
which the conversion code translates as 04/24/94. UniData does not
convert the data before it saves UniQuery results to an ASCII file.
With UDT.OPTIONS 91, you can force the conversion before UniData saves
the ASCII file.
I'm using an API to pull data from another website, putting it in a DataFrame and creating a visualization.
I want to have the title of the visualization to have the time-stamp from when the API (requests.get) pulls the info so we know exactly what time period the graph is representing.
Question: is there a way for Pandas to create a time stamp and save it in a variable when a specific cell is executed.
something like:
request_time = create current timestamp
This code would be in the same cell as the requests.get...
so I can:
plt.title(f"This graph's info was generated at {request_time}")
This code would be in the cells where I'm creating the visualizations...
Thanks
You can use:
plt.title("This graph's info was generated at " + request_time)
EDIT:
It looks like you want to grab the timestamp at the time the request was made, save this to a variable, and add this to your plot title:
from datetime import datetime
## Make the API request here
ts = str(pd.to_datetime(datetime.now()))
plt.title("This graph's info was generated at " + ts)
Basically I need to make a column chart with the different endpoints along the x axis (services such as log in, etc.) with each endpoint having a unique column stacked with two colors, red for service error events and green for service events.
I can get something with a search string like this:
my search EVENT="[SERVICES]" OR EVENT="[SERVICE_ERROR]" | chart count by EVENT, ENDPOINT
though its event on the x axis (but showing both services and service error like I need) with the endpoints being different colored stacked in the chart.
Yet reversing this causes ONLY SERVICE EVENTS to show up, which is beyond my reasoning since service errors appear in the first search.
Above is just something I tried. I also tried:
my search | fields ENDPOINT "[SERVICE]" "[SERVICE_ERROR]"
according to the splunk documentation on stacking charts here:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/ColumnBarCharts
(last example at bottom of page).
I wanted to make sure I was thorough with my explanation but in short...
My goal is to have the all the endpoints displayed on the x axis with the count of the different service events and service error events as the actual graph data as one column split into two colors for both events.
Thank you for any help!!
I found the answer and wanted to share in case anyone else might find this helpful:
First, I made a unique field for error using the field extractor. "[SERVICE_ERROR]" wanted to link to all other events similar to it so I had to use "error_message" to extract my errors.
Next I added this to my search string:
....... | stats count(eval(match(EVENT,"[SERVICE]"))) AS service count(error) AS error BY endservice
This calculates a table that finds the count of both the event "[SERVICE]" and the field "error" and renames them using "AS/as". The field "endservice" is a field extraction I use to get more accurate endpoints.
Finally I go to my chart's format option (near the magnifying glass and three dots in the upper right hand corner, it looks like a paint brush) and click on it. After that I selected "stacked column" (the middle one).
The voila! I have my stacked graph of two different data types! I hope this helps someone else someday.