I have a record that comes into elk every minute. It's a snapshot of job delay data on a mainframe.
What I am trying to do is build a chart that shows each Job associated with its 'delay %'.
The record is in XML format. I have logstash parse/convert the needed values in that doc using XPath and mutate. So now I have multiple job names (job_name1, job_name2, etc.) and multiple "delay %'s" (delay_percent1, delay_percent2, etc.) in each record.
Is there a way I can build a graph where my Y-Axis contains the delay % and my X-Axis contains the job/program names?
Example:
Y-Axis contains: Delay percent of each field "delay_percent" (won't ever go over 100)
X-Axis contains: job_name1, job_name2, job_name3,...job_name20
See that's the problem, when I do that (select x-axis, then aggregate, then terms) I have all the "job_name#" as options. So I can make the graph you posted above, but I can only do it with one "job_name#" at a time.
Also that graph above is using many different events/messages, all of my data is coming from one single event (hence the job_name1, job_name2, etc -- as opposed to many events with a single 'job_name')
Is there a way to wildcard job_name? So I can aggregate on "job_name*"
PS sorry for the late reply, been out of town for a while.
It might be helpful if you could share a couple of sample documents with me and perhaps a screenshot.
That said, I'll take a guess - Why do you have the job name content in different fields? Is there anything restricting from putting it into a single field?
Because it's an xml doc with 20 different rows that each specify a different job. Underneith each row is job specific information. So I can either have each job in its own field (which is what I have now), or I can have all jobs in the same field, which obvioulsy won't work. Unless you know how to split the XML doc into multiple events? Here's what it looks like:
(the first < col > within each "<row refno= percent=>" contains the job name)
Because then it's like this:
Job_Name: OMXSTR HBODSMF RERLTJ (..etc.)
I need multiple events all with a single Job_Name field that contains one job name, not 20.
See what I mean?
Right now I have one event with 20 job names (XML doc above), and I can put each of those job names into separate fields: job_name1, job_name2, etc.
Or I can do what I said above^ 20 job names to a single field.
So I guess what I'm really asking is: how can I separate the XML doc into multiple events so that each events has it's own Job_Name field with a single job name.
I'll look at that documentation too, thanks for that
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.