https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213716#M62700 <P>Use multikv to separate the data and then use the new values for your chart/timechart.</P> <P>index=... sourcetype=... | multikv fields PollTime, "Server Name", QueueName, "Display Name", value | timechart avg(value) by "Server Name"</P> <P>You might have to tweak the above query a bit but that should get you started.</P> Thu, 10 Sep 2015 07:58:37 GMT lcrielaa 2015-09-10T07:58:37Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213712#M62696 <P>I have a CSV file which runs every 5 minutes and gathers data from separate data sources. A sample of what is compiled in Splunk is below. What I'm looking to do is chart the data into each of its own columns / rows, then sort the columns by whichever we choose. The main data we will need to pull from the .csv is in bold. As you can see, the columns in the script add the column names such as ''PollTime, Server Name, QueueName etc".</P> <P>PollTime, Server Name, QueueName, Display Name, value<BR /> 2015-09-03 15:01:27 All, All, All, All<BR /> <STRONG>PollTime, Server Name, QueueName, Display Name, value</STRONG><BR /> 2015-09-03 14:59:42 All, All, All, All<BR /> <STRONG>2015-09-03 14:01:26, SERVER1.main.corp.int, SERVER.C1.DG1.DGREQ, Consumer Count, 60<BR /> 2015-09-03 14:01:24, SERVER2.main.corp.int, SERVER.C2.DG2.DGREQ, Consumer Count, 0<BR /> 2015-09-03 14:01:23, SERVER3.main.corp.int, SERVER.C3.DG1.DGREQ, Consumer Count, 15<BR /> 2015-09-03 14:01:22, SERVER4.main.corp.int, SERVER.C4.DG2.DGREQ, Consumer Count, 0</STRONG></P> Thu, 03 Sep 2015 19:12:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213712#M62696 gmelasecca 2015-09-03T19:12:33Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213713#M62697 <P>Is the data already ingested in Splunk??</P> Thu, 03 Sep 2015 21:08:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213713#M62697 somesoni2 2015-09-03T21:08:11Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213714#M62698 <P>Yes the data is already in splunk. above is what splunk is outputting.</P> Tue, 08 Sep 2015 13:40:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213714#M62698 gmelasecca 2015-09-08T13:40:18Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213715#M62699 <P>And is each line in your example a different event? Because then you should just make a field extraction (or alternatively use rex-command in search) and use a table command to make the chart you want. </P> <P>If Splunk, for some reason, throws it all in one event you might want to check the props.conf file if he is breaking events correctly.</P> Wed, 09 Sep 2015 14:46:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213715#M62699 dkoops 2015-09-09T14:46:02Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213716#M62700 <P>Use multikv to separate the data and then use the new values for your chart/timechart.</P> <P>index=... sourcetype=... | multikv fields PollTime, "Server Name", QueueName, "Display Name", value | timechart avg(value) by "Server Name"</P> <P>You might have to tweak the above query a bit but that should get you started.</P> Thu, 10 Sep 2015 07:58:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-a-csv-file/m-p/213716#M62700 lcrielaa 2015-09-10T07:58:37Z