All Apps and Add-ons

How I visualize my data mentioned

New Member

Hello Experts

My script written in perl is returning output in following format

4:10:05.000 AM


Server9J 6 0

Server3 0 0

Server1 6 0

Server4 0 0

Now I wanted to visualize this output, how I can do this

  1. First How inbuffer/outbuffer count varying for a specifc server with time, To understand the spike of inbuffer/outbuffer for a specific time
  2. Display current status of each server in as per inbuffer/outbuffer in dashboard.

Kindly suggest how I can do this.

Best regards,

0 Karma

New Member

Thanks a lot Nils,

For the clarifications!

The scripts written puts the results to standard output not on a file.

As this script is witten by me only, I can modify its output to other format as well.

What could be correct output format of this data so that I can easyly visualise this data in splunk.

I can also write this data like below:


Will this help to visualize the data?

0 Karma


First i have to say that, as far as i know, there's no way in putting both the in and out buffer for al servers in one graph(it would get verry messy). so my example forces the user to make two pannels, one for the Inbuffer and one for the outbuffer. Here's my approach to the problem:

it depends on the filetype of the output. Splunk can read many different types of files but has it's limits (although they're hard to find). What i do know is that if it's a .txt file or something similar, you should be able to perform field extractions on the contents of the file.

this way you can tag Server9J as a sourcetype. INBUFFER and OUTBUFFER as a field. Although i'm not sure if splunk can read your files like that with the tabs instead of an "=". I myself have not tried it.

when splunk is recognizing the fields an sourcetypes you can compose a fairly easy searchstring to start building your dashboards/graphs/piecharts etc.

If you want a graph showing the In/Out buffer on a graph over time, the string i would write would look a little bit like this(although the prerequisuite is that you put all the sourcetypes in one index):

index="INDEXNAME" | timechart count by YOURFIELDEXTRACTION

with this string, splunk wil look in the index where you have put all your servers as sourcetype and will count all your In/Out buffers, if you indexed it correctly and configured the field extractions properly you should get a nice graph.

you can mail me for further questions.

I hope i helped.


0 Karma
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...