X/Y Axiis Using Only Field Data

I have a record that comes into elk every minute. It's a snapshot of job delay data on a mainframe.
What I am trying to do is build a chart that shows each Job associated with its 'delay %'.

The record is in XML format. I have logstash parse/convert the needed values in that doc using XPath and mutate. So now I have multiple job names (job_name1, job_name2, etc.) and multiple "delay %'s" (delay_percent1, delay_percent2, etc.) in each record.

Is there a way I can build a graph where my Y-Axis contains the delay % and my X-Axis contains the job/program names?

Y-Axis contains: Delay percent of each field "delay_percent" (won't ever go over 100)
X-Axis contains: job_name1, job_name2, job_name3,...job_name20

Can't figure this out.

Try creating a Vertical Bar Chart - https://www.elastic.co/guide/en/kibana/current/xy-chart.html

Set your X-Axis to aggregate on job names. I think this displays at least part of the solution you're looking for

See that's the problem, when I do that (select x-axis, then aggregate, then terms) I have all the "job_name#" as options. So I can make the graph you posted above, but I can only do it with one "job_name#" at a time.

Also that graph above is using many different events/messages, all of my data is coming from one single event (hence the job_name1, job_name2, etc -- as opposed to many events with a single 'job_name')

Is there a way to wildcard job_name? So I can aggregate on "job_name*"

PS sorry for the late reply, been out of town for a while.

It might be helpful if you could share a couple of sample documents with me and perhaps a screenshot.

That said, I'll take a guess - Why do you have the job name content in different fields? Is there anything restricting from putting it into a single field?

Because it's an xml doc with 20 different rows that each specify a different job. Underneith each row is job specific information. So I can either have each job in its own field (which is what I have now), or I can have all jobs in the same field, which obvioulsy won't work. Unless you know how to split the XML doc into multiple events? Here's what it looks like:

(the first < col > within each "<row refno= percent=>" contains the job name)

	<row refno="1" percent="100">
	<row refno="2" percent="63.0564">
	<row refno="3" percent="52.9674">
	<row refno="4" percent="13.1238">
	<row refno="5" percent="9.56299">
	<row refno="6" percent="8.91557">
	<row refno="7" percent="6.20448">
	<row refno="8" percent="5.90774">
	<row refno="9" percent="5.46264">
	<row refno="10" percent="5.20637">
	<row refno="11" percent="4.53197">
	<row refno="12" percent="3.69571">
	<row refno="13" percent="3.15619">
	<row refno="14" percent="3.12921">
	<row refno="15" percent="2.48179">
	<row refno="16" percent="2.38738">
	<row refno="17" percent="2.10413">
	<row refno="18" percent="1.65902">
	<row refno="19" percent="1.56461">
	<row refno="20" percent="1.53763">

Perhaps I'm missing something, but why won't it work?

These tools might be useful https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html

Because then it's like this:

I need multiple events all with a single Job_Name field that contains one job name, not 20.

See what I mean?

Right now I have one event with 20 job names (XML doc above), and I can put each of those job names into separate fields: job_name1, job_name2, etc.

Or I can do what I said above^ 20 job names to a single field.

So I guess what I'm really asking is: how can I separate the XML doc into multiple events so that each events has it's own Job_Name field with a single job name.

I'll look at that documentation too, thanks for that

Yes, I think those docs will point you in the right direction. Obviously check back if they don't.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.