topic Re: Extract Field values and plot on time series graph in Splunk Search

Extract Field values and plot on time series graph

nkavouris — Tue, 25 Jun 2024 16:31:24 GMT

I would like to extract the Message, Timestamp, and serial fields

Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900

Each on individual plots based on the time series

I take it I will have to use a rex command to extract the bolded values from the message field.
How would I go about this?

{"bootcount":10,"device_id":"71ff6686fa5347828e3668e59249d0be","environment":"prod_walker",
"event_source":"appliance","event_type":"GENERIC","location":
{"city":"","country":"XXX","latitude":XXX,"longitude":XXX,"state":""},
"log_level":"info","message":"hardware_controller: TestState { target: Temp(315600), state: Temp(315600), cavity: 178900, fuel: None, shutdown: None, errors: test() }",
"model_number":"XXXX","sequence":1411,"serial":"XXXX","software_version":"2.2.2.7641","ticks":158236,"timestamp":1717972790}

Re: Extract Field values and plot on time series graph

ITWhisperer — Tue, 25 Jun 2024 16:50:01 GMT

| rex "target: Temp\((?<target>\d+)\), state: Temp\((?<state>\d+)\), cavity: (?<cavity>\d+)"

Re: Extract Field values and plot on time series graph

nkavouris — Tue, 25 Jun 2024 18:26:53 GMT

I have accomplished the Rex using field extractor

but as for plotting the values this is not of much help, id like to plot the values found with the associated timestamp of the event into a line chart

Re: Extract Field values and plot on time series graph

marnall — Tue, 25 Jun 2024 18:43:57 GMT

Does it appear when you change the search results to the "visualization" tab, then switch the visualization to "Line Chart"?

Alternatively could you try:

<your search that extracts the fields> | timechart mode(target) as target mode(state) as state mode(cavity) as cavity

Re: Extract Field values and plot on time series graph

ITWhisperer — Wed, 26 Jun 2024 07:54:43 GMT

The extraction gives you the values for the fields for each event. Each event will have an _time field with the time of the event. You have all the information you need to plot the values against time. Is it simply that you want to restrict the fields that are plotted?

| table _time target state cavity

The first field will be the x-axis on the chart (when you select a line chart as your visualisation), the other fields will be the series in the chart, each of which will be a line on the chart. What more do you need?