XYSERIES & UNTABLE Command In Splunk
Hi Guys!!!
Today we have come up with two new interesting commands, i.e. “xyseries” and “untable”.
Now, you might get amazed that why we are talking about two commands together.
Don’t worry. Soon, you will understand the purpose.
Let’s start with the first command, i.e. “xyseries”
XYSERIES: –
Usage of xyseries command: This command is ideal for graphical visualization with multiple fields, basically with the help of this command you can make your result set ina tabular format, which is suitable for graphical representation.Syntax of xyseries command:
|xyseries [grouped=<bool>] <x-field> <y-name-field> <y-data-field>... [sep=<string>] [format=<string>]x-field: The first field listed is the column, the x-axis field. y-name-field: The second field , it’s values will become the new columns.y-data-field: The third field listed, it will be the data values in the table for the new fields you created.
Example: 1
Let’s, start with a query without “xyseries” command, then with “xyseries” command, so that you will understand how the command is changing the visualization of the result set.
index=_internal sourcetype=splunkd_ui_access| stats count by method,status
Explanation:
In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype. With “stats” command we have used two fields “method” and “status” which is giving us the count of unique combination of values from method and status field.
Now, in the same query we will show you, how “xyseries” command will change the result set of the same query, which will be suitable for graphical representation. So, let’ see,
index=_internal sourcetype=splunkd_ui_access| stats count by method,status| xyseries method,status,count
Explanation: –
Here, we have used “method” as x-field, so you can see that the “method” field is present in the first column.
We have used “status” as y-name-field, so you can see that each value “status” field is now new columns.
We have used “count” as the y-data-field, so you can see that, the values of “count” field is giving the count of each unique combination of values from “method” and “status” field.
In other words, we can say, “xyseries” command changed the visualization of the previous query in a charting format.
Example: 2
In, this example, we will show you how we can use two y-data fields.
First, we will show without “xyseries” command, then with “xyseries” command, so that you will understand how the command is changing the visualization of the result set.
index=_internal sourcetype=splunkd_ui_access| stats count count(eval(user="admin")) as "user_count" by method,status
Explanation:
In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype.
With stats command we are taking the eventcount grouped by “method” and “status” field and the count of user “admin” grouped by “method” and “status” field. As a result we are getting four fields, i.e. method, status, count, user_count.
Now, the last two field i.e. “count” and “user_count” as the y-data field with “xyseries” command. So, let’s see,
index=_internal sourcetype=splunkd_ui_access| stats count count(eval(user="admin")) as "user_count" by method,status| xyseries method status count user_count
Explanation: –
Here, we have used “method” as x-axis field, so you can see that the “method” field is present in the first column.
We have used “status” as y-axis field, so you can see that each value “status” field is now new columns. But, you can see some other fields like “count” and “user_count” with “status” field values.
eg: “count:200” or “user_count:200” etc.
This is because, we have used two fields “count” and “user_count” as y-data field and each values of status field has created different columns with “count” field and “user_count” field.
UNTABLE: –
Usage of “untable” command:1. Untable command can convert the result set from tabular format to a format similar to “stats” command.2. This command can also be the reverse of the “xyseries” [Now, you guys can understand right, why we are mentioning “xyseries” and “untable” commands together]
Syntax of “untable” command:
| untable <x-field> <y-name-field> <y-data-field>x-field: The first field listed is the column, the x-axis field. y-name-field: The second field , the values of this field will be used as labels for the data series.y-data-field: The third field listed, field that contains the data to be charted
So, let’s see,
Example: 1
Let’s, start with a query without “untable” command, then with “untable” command, so that you will understand the changes clearly.
index=_internal sourcetype=splunkd_ui_access| top method
Explanation:
In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype.
Top command will give the “count” and “percentage” of “method” field values in descending order in “count” and “percent” field respectively.
Now, we use “untable” command in the query to see the changes.
Explanation:
Here, we have used method as x-axis field.
We have used “calculation” as y-axis-name-field which contains two values i.e. “count” and “percent” because top command has given “count” and “percent”.
We have used “value” as the y-data-field which contains corresponding values for the combination of “method” and “calculation” field.
Example: 2
Here, we will use the same example shown for “xyseries” command in [Example: 1], so that you can easily understand how “untable” command can be the reverse for “xyseries” command.
index=_internal sourcetype=splunkd_ui_access| stats count by method,status| xyseries method,status,count| untable method,status,count
As, you can see we have used “method” as x- field, “status” as y-name-field and “count” as y-data-field. It has changed converted the charting format of result set again to the format of stats output. [Similar to image: 1]
[Note: Please check the image: 1 and image: 2 to see the result set of “xyseries” command to compare].
Hope you have understood how to use xyseries and untable command in Splunk.
Happy Splunking !!!
What’s your Reaction?
+1
+1
+1
4
+1
+1
1
+1
+1
