X/Y Axiis Using Only Field Data

I have a record that comes into elk every minute. It's a snapshot of job delay data on a mainframe.
What I am trying to do is build a chart that shows each Job associated with its 'delay %'.

The record is in XML format. I have logstash parse/convert the needed values in that doc using XPath and mutate. So now I have multiple job names (job_name1, job_name2, etc.) and multiple "delay %'s" (delay_percent1, delay_percent2, etc.) in each record.

Is there a way I can build a graph where my Y-Axis contains the delay % and my X-Axis contains the job/program names?

Example:
Y-Axis contains: Delay percent of each field "delay_percent" (won't ever go over 100)
X-Axis contains: job_name1, job_name2, job_name3,...job_name20

Can't figure this out.

Try creating a Vertical Bar Chart - https://www.elastic.co/guide/en/kibana/current/xy-chart.html

Set your X-Axis to aggregate on job names. I think this displays at least part of the solution you're looking for

See that's the problem, when I do that (select x-axis, then aggregate, then terms) I have all the "job_name#" as options. So I can make the graph you posted above, but I can only do it with one "job_name#" at a time.

Also that graph above is using many different events/messages, all of my data is coming from one single event (hence the job_name1, job_name2, etc -- as opposed to many events with a single 'job_name')

Is there a way to wildcard job_name? So I can aggregate on "job_name*"

PS sorry for the late reply, been out of town for a while.

It might be helpful if you could share a couple of sample documents with me and perhaps a screenshot.

That said, I'll take a guess - Why do you have the job name content in different fields? Is there anything restricting from putting it into a single field?

Because it's an xml doc with 20 different rows that each specify a different job. Underneith each row is job specific information. So I can either have each job in its own field (which is what I have now), or I can have all jobs in the same field, which obvioulsy won't work. Unless you know how to split the XML doc into multiple events? Here's what it looks like:

(the first < col > within each "<row refno= percent=>" contains the job name)

	<row refno="1" percent="100">
		<col>MCICSIEB</col>
		<col>74.14</col>
		<col>0136</col>
	</row>
	<row refno="2" percent="63.0564">
		<col>WIL0888B</col>
		<col>46.75</col>
		<col>01B5</col>
	</row>
	<row refno="3" percent="52.9674">
		<col>JEN0521X</col>
		<col>39.27</col>
		<col>01BB</col>
	</row>
	<row refno="4" percent="13.1238">
		<col>SERZMFP</col>
		<col>9.73</col>
		<col>023C</col>
	</row>
	<row refno="5" percent="9.56299">
		<col>OMXEDSST</col>
		<col>7.09</col>
		<col>0094</col>
	</row>
	<row refno="6" percent="8.91557">
		<col>MQT1CHIN</col>
		<col>6.61</col>
		<col>00CA</col>
	</row>
	<row refno="7" percent="6.20448">
		<col>TAT2469E</col>
		<col>4.6</col>
		<col>01B5</col>
	</row>
	<row refno="8" percent="5.90774">
		<col>BAR0980</col>
		<col>4.38</col>
		<col>021B</col>
	</row>
	<row refno="9" percent="5.46264">
		<col>PWXLST02</col>
		<col>4.05</col>
		<col>00A2</col>
	</row>
	<row refno="10" percent="5.20637">
		<col>TCICSL</col>
		<col>3.86</col>
		<col>01A5</col>
	</row>
	<row refno="11" percent="4.53197">
		<col>DBSYREPO</col>
		<col>3.36</col>
		<col>024D</col>
	</row>
	<row refno="12" percent="3.69571">
		<col>TCICSJ</col>
		<col>2.74</col>
		<col>0119</col>
	</row>
	<row refno="13" percent="3.15619">
		<col>OMXETOM</col>
		<col>2.34</col>
		<col>00E9</col>
	</row>
	<row refno="14" percent="3.12921">
		<col>TCPIP</col>
		<col>2.32</col>
		<col>0070</col>
	</row>
	<row refno="15" percent="2.48179">
		<col>CATALOG</col>
		<col>1.84</col>
		<col>002B</col>
	</row>
	<row refno="16" percent="2.38738">
		<col>OMXEO2</col>
		<col>1.77</col>
		<col>00E8</col>
	</row>
	<row refno="17" percent="2.10413">
		<col>HSM</col>
		<col>1.56</col>
		<col>0072</col>
	</row>
	<row refno="18" percent="1.65902">
		<col>WLM</col>
		<col>1.23</col>
		<col>000C</col>
	</row>
	<row refno="19" percent="1.56461">
		<col>TAT2469</col>
		<col>1.16</col>
		<col>0158</col>
	</row>
	<row refno="20" percent="1.53763">
		<col>GRS</col>
		<col>1.14</col>
		<col>0007</col>
	</row>
</report>

Perhaps I'm missing something, but why won't it work?

These tools might be useful https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html

Because then it's like this:
Job_Name: OMXSTR HBODSMF RERLTJ (..etc.)

I need multiple events all with a single Job_Name field that contains one job name, not 20.

See what I mean?

Right now I have one event with 20 job names (XML doc above), and I can put each of those job names into separate fields: job_name1, job_name2, etc.

Or I can do what I said above^ 20 job names to a single field.

So I guess what I'm really asking is: how can I separate the XML doc into multiple events so that each events has it's own Job_Name field with a single job name.

I'll look at that documentation too, thanks for that

Yes, I think those docs will point you in the right direction. Obviously check back if they don't.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.