topic Re: Create a Line-Chart from an Array within a Single Event in Splunk Search

Create a Line-Chart from an Array within a Single Event

hbrandt84 — Tue, 29 Sep 2020 13:56:33 GMT

Hi everybody,
I'm trying wrap my head around chart visualizations with Splunk.
As a Start i'm working with machine data that represents power consumption of a motor over time during one integral action.
the resulting JSON event looks kinda like this:

{   [-] 
     motor_name:     prod_50cal 
     client:         defense_arc    
     start-event:    true
     tech_data: {   [-] 
         power_curve_real:  [   [-] 
         4.01   
         3.08
         3.32   
         ...
         4.17   
         5.69
         6.45
         5.85
        ]   
         direction:  mount  
         power_curve_limit: [   [+] 
        ]   
    }   
     message_type:   mounting_start
     timestamp:  2017-04-11 23:49:34    
}

The "..." cuts the content here for visual reasons, as there are 100 values in each "power_curve_real: []".
Every example and Discussion about visualization in Splunk dashboards i've seen concern using one value from every event und unify them in a chart.
In my case i try to transform every event into a single line of a linechart. Plus, i want to show a "trendline" - an average of all shown lines.
My Main logical Problem is the definition of the X-Axis and Y-Axis...
My power-data entries are obviously my values for the Y-Axis, but the X-Axis is still undefined, as it needs to have the array index "1,2,3 ... 98,99,100" as discription. (but this index does not exist as literals within the event...)

I'm totally clueless as i have not found any commands that are suitable for this kind of event.
I'm thankful and open for any suggestions...

Re: Create a Line-Chart from an Array within a Single Event

adonio — Thu, 04 May 2017 03:00:59 GMT

hello there,
can you kindly show how the even looks in Splunk?
if its a mutlivalue field that contains 100 numeric values, you can manipulate it as shown here: https://docs.splunk.com/Documentation/Splunk/6.5.3/Search/Parsemultivaluefields
hope its a start

Re: Create a Line-Chart from an Array within a Single Event

DalJeanis — Thu, 04 May 2017 03:20:23 GMT

The command you are looking for is spath.

After you extract the array of values from the JSON into a multivalue field with that command, you are going to want to use mvexpand to turn each individual value of that field into an individual record.

What you need will be pretty close to what I did in the answer for this one, and what I posted there was run-anywhere code. My answer hasn't been approved yet, but when it appears you can play with it line by line and see what each command does. Modifying it for your own needs should not be too difficult.

https://answers.splunk.com/answers/525678/parse-json-series-data-into-a-chart.html

You will have to determine whatever makes sense to do with the _time of each record, but to start your viz, just use a command something like this.

(after you've splilt up the records)
| streamstats count as mycount
| eval _time =now()+mycount

That will give each one, in order, a different time by 1 second, which is enough so that everything doesn't all happen at once. 😉

Re: Create a Line-Chart from an Array within a Single Event

niketn — Tue, 29 Sep 2020 13:56:50 GMT

If you extract power_curve_real as multivalued field using the spath command, then you can use mvexpand to create single event for each of the values of power_curve_real.

Re: Create a Line-Chart from an Array within a Single Event

hbrandt84 — Thu, 04 May 2017 21:50:12 GMT

Yeah, I had already seen that command and I got the concept of dividing a single event into individual events. But I still don't see the benefit over multiple events. Is this nescessary for the visualisation to have each X/Y value pair in a seperate event?

Re: Create a Line-Chart from an Array within a Single Event

hbrandt84 — Thu, 04 May 2017 21:53:31 GMT

Thanks for your suggestion - it follows the same concept as niketnilays' suggestion, as I have problems in seeing the benefit of splitting my event up to smaller ones... But what do mean with "how the even looks"? I copied (and slightly edited) the event straight from the search app (highlighted)... Do you mean the raw event text?

Re: Create a Line-Chart from an Array within a Single Event

hbrandt84 — Thu, 04 May 2017 22:55:39 GMT

Okay, thanks for your response. I was especially looking for spl ideas that create X/Y axis value parts - and the mvzip approach might do the trick! Tomorrow I will try to apply this to my approach.

Re: Create a Line-Chart from an Array within a Single Event

DalJeanis — Thu, 04 May 2017 23:53:49 GMT

Oh, here's another useful item: mvrange(A,B,C) where A, B, and C are numbers or variables that equate to numbers, creates an mv field that starts at A and proceeds by step C until it is greater than or equal to B. C(defaults to 1.

For example, mvrange(1,11,2) is equivalent to mvappend(1,3,5,7,9)

So, for example, assuming that PowerCurveReal and PowerCurveLimit always have the same number of readings, you could say...

| eval readings=mvrange(1,mvcount (PowerCurveReal))
| eval readings=mvzip(readings,mvzip(PowerCurveReal,PowerCurveLimit,"!!!!"),"!!!!")

...and then you would have them all zipped together with a delimiter that won't ever appear in the data, in a way you can turn each composite reading into a single record.