Splunk Dev

Need field value to be part of another field

Lynyrd
Explorer

I have an upper limit in one field, a lower limit in another field, and actual data in a third field. How do I include the upper and lower limits as part of the actual data so that I can use the chart command showing the actual data between the limits. Using MVJOIN or MVZIP or MVAPPEND will not work because these perform concatenation... I do not need concatenation, I need inclusion.

What say you?

Tags (1)
0 Karma

Lynyrd
Explorer

alt text

Plot is till not right. I guess I need to do more research.

0 Karma

Lynyrd
Explorer

alt text

0 Karma

niketn
Legend

@Lynyrd, seems like you are using Trellis Layout. Just turn it off using the Trellis option as available in your sample screenshot and there should be single chart with three series.

PS: Splunk does provide an option for developers to write custom search commands and also the option to create custom visualization in case current SPL or built in visualizations/custom visualizations available on Splunkbase do not suit your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

elliotproebstel
Champion

I don't quite understand what you mean when you say you need inclusion. If you'd like to compare the value in a field called actual_data to the values in fields called upper_limit and lower_limit, you could do this:

your search that leaves you with actual_data, upper_limit, and lower_limit
| where lower_limit<=actual_data AND actual_data<=upper_limit

But I'm not sure that's what you're trying to do. Can you explain more?

0 Karma

Lynyrd
Explorer
sourcetype=mfgtestengsoftware  | search "Result Logged" "Results{}.Pass"=true "B1611" "CCS" "33.[113.1] TP201 TO DGND_LF_PH" | spath Results{}.Minimum | spath Results{}.Maximum | rename Results{}.Maximum AS Maximum | rename Results{}.Minimum AS Minimum | spath Results{}.Actual  | rename Results{}.Actual AS Actual | eval Actual = Round(Actual) | chart count over Actual

Minimum is the lower limit & Maximum is the upper limit, they are in different fields than the Actual field. So when I use the chart command above "chart count over Actual" the upper and lower limits are not in the plot. I need to get the values of Minimum and Maximum "INCLUDED" into the bins of the actual data so that when the plot is printed on the screen I can SEE the lower and upper limits along with or included with the Actual data.

0 Karma

elliotproebstel
Champion

I'm thinking maybe what you want are chart overlays. Do the examples on these pages look like what you want?
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/Chartoverlays
http://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/Chartcontrols#Chart_overlay

0 Karma

Lynyrd
Explorer

WOW... chart overlay very confusing example. It would be nice if the SPLUNK community could create a simple to use command called "dInclude(X,Y)" meaning data include. The meaning here is that Field X is included into field Y... so that when someone uses "chart count over Y" the data that was in X field is now part of the Y field ... like as if the Y field has adopted the X field. Now X and Y are treated as one field and all the data can be plotted together on the same X axis.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this? You should get 3 lines (assuming you're using line chart) once for count of actual, and one each for Minimum and Maximum for that actual.

sourcetype=mfgtestengsoftware  | search "Result Logged" "Results{}.Pass"=true "B1611" "CCS" "33.[113.1] TP201 TO DGND_LF_PH" | spath Results{}.Minimum | spath Results{}.Maximum | rename Results{}.Maximum AS Maximum | rename Results{}.Minimum AS Minimum | spath Results{}.Actual  | rename Results{}.Actual AS Actual | eval Actual = Round(Actual) | chart count min(Minimum) as Minimum max(Maximum) as Maximum over Actual

Lynyrd
Explorer

that code gave me three individual plots. I need Min Max and Actual to all be on the same plot.

I would include a picture but I don't have enough karma points.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Getting that format will be tricky. What type of value does that Actual field have? Can you provide some sample output from above query (the table that you get)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...