topic Re: Visualization in Splunk Search

How to represent good visualization with the following fields?

kirthika26 — Tue, 04 Apr 2023 15:07:33 GMT

How to represent good visualization with the following fields

DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( 2020-02-05 02:04:45) and Total_Days ( 2)

Total Days is the difference between Software Version Release Date and Software Version last timestamp.

Chart should cover all fields

Re: Visualization

diogofgm — Mon, 03 Apr 2023 10:15:43 GMT

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz.

Sankey

https://splunkbase.splunk.com/app/3112

Parallel Coordinates

https://splunkbase.splunk.com/app/3137

Re: Visualization

gcusello — Mon, 03 Apr 2023 10:16:08 GMT

Hi @kirthika26,

are all the information in one event or in different events from different data sources?

could you share a sample of these events, eventually one or two from each data source?

because if they are in one event, you have only to display them using table and calculating the Total Days using eval.

If instead (as I suppose) they are in different data sources I have to correlate them.

Ciao.

Giuseppe

Re: Visualization

kirthika26 — Mon, 03 Apr 2023 10:53:17 GMT

Attached sample gcusello.

all from same sources

Re: Visualization

gcusello — Mon, 03 Apr 2023 10:34:09 GMT

Hi @kirthika26,

sorry, I wasn't clear: I need some sample of the raw events in text mode, not screenshot.

Anyway, viewing your message, I suppose that you have data in a csv, did you already indexed in Splunk?

All the information seems to be in the same event, in this kind, you have only to use eval to calculate the date difference.

<your_search> | eval Total_Days =round(strptime(timestamp,"%m/%d/%Y %H:%M")-strptime(releasetime,"%m/%d/%Y %H:%M"))/86400,2) | table Device_ID VersionIP releasetime timestamp Total_Days | rename Device_ID AS DeviceID VersionIP AS "Software Version" releasetime AS "Software Version Release Date" timestamp AS "Software Version last timestamp" Total_Days

remember that to compare different dates and times, you have to convert them in epochtime.

Ciao.

Giuseppe

Re: Visualization

kirthika26 — Mon, 03 Apr 2023 10:37:09 GMT

Hi Giuseppe ,

Thanks for your reply. But need help in final visualization part after table command

Re: Visualization

gcusello — Mon, 03 Apr 2023 10:39:29 GMT

Hi @kirthika26,

I renamed the columns and I rounded the Total_Days field

what else you would add in final visualization?

Ciao.

Giuseppe

Re: Visualization

kirthika26 — Mon, 03 Apr 2023 10:52:59 GMT

Thanks Giuseppe

Re: Visualization

gcusello — Mon, 03 Apr 2023 10:55:52 GMT

Hi @kirthika26,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)