topic Re: timechart for multiple, but similar, itemnames in Splunk Search

timechart for multiple, but similar, itemnames

splunk_question — Tue, 15 May 2018 20:31:45 GMT

I am attempting to grab data from a set of Items that all have relatively similar names, i.e.:

ItemName = LocX_VarY.DataTypeZ

Where the individual words are descriptors of where the data point was taken from, such as:

Location0001_Windspeed.10M

Now, say that I want to create a timechart that plots multiple different items, like:

Location0001_Windspeed.Below10M
Location0001_Windspeed.10M
Location0001_Windspeed.100M
Location0038_Windspeed.Below10M
etc.

How can I structure my search function in such a way that I don't have to manually enter in all of the locations/datatypes to get all applicable ItemNames and the data that corresponds to them.

Note that the examples provided were just examples, not representative of what the data looks like.

Re: timechart for multiple, but similar, itemnames

splunk_question — Tue, 15 May 2018 20:44:18 GMT

I can do

| timechart span=xxx values(value) by ItemName

But I'm looking for a more precise way to do it, especially when I want to condense the output downs into specific subsets of data.

Note that, in addition to a "Location 0001" and "Windspeed" variables, there would be dozens of others for each of those. Sorting by Locations and their Particular Variables or Particular Variable at a given Location is important.

Re: timechart for multiple, but similar, itemnames

somesoni2 — Tue, 15 May 2018 21:14:23 GMT

Could you explain what type of filters you'd apply when you want to condense the output? If you're looking to plot timechart for specific type of ItemNames, you can add a search filter just before your time chart. E.g.

your base search
| where like(ItemName,"%YourFilter%") 
| timechart span=xxx values(value) by ItemName

Re: timechart for multiple, but similar, itemnames

splunk_question — Wed, 23 May 2018 13:09:00 GMT

Sorry I never responded, I managed to find some data that was structured in a different way to help me accomplish this task. Thanks for the hint on the filter though, that will be extremely helpful in the future.

Re: timechart for multiple, but similar, itemnames

niketn — Wed, 23 May 2018 13:30:13 GMT

@splunk_questions could you please post the details of the approach you used to solve your issue and accept the same as answer to help others facing similar issue.

Re: timechart for multiple, but similar, itemnames

DalJeanis — Wed, 23 May 2018 18:48:24 GMT

This would break the individual parts of the ItemNames out:

| rex field=ItemName "(?<LocX>[^_]+)_(?<VarY>[^\.]+)\.(?<DataTypeZ>.+)$"

Then you could use post-processing such as | stats count by LocX | fields locX to put them in individual multiselect dropdowns for your user to choose between.

However, when you put them into timechart, you are probably going to want to merge the ItemName back together, and/or perhaps use trellis to spread the timecharts over multiple panels.