Dashboards & Visualizations

Automate splunk to reproduce data set from multiple indices and create their patterns?

paritoshs24
Path Finder

Hi Team my data across multiple  indices looks  like this from  latest index to oldest

oldest                   latest      
Index
1
        index 2          index 
3
     
par  lkg target workweek   par  lkg target workweek   par  lkg target workweek
a 1 8 ww1   a 5 8 ww2   a 4 8 ww3
b 2 9 ww1   b 6 9 ww2   b 5 9 ww3
c 3 7 ww1   c 7 7 ww2   c 8 7 ww3
d 4 6 ww1   d 8 6 ww2   d 2 6 ww3

 

I want to recreate data like this

par Target ww1 ww2 ww3 line chart
a 8 1 5 4  
b 9 2 6 5  
c 7 3 7 8  
d 6 4 8 2  

 

The major catch  is  .... we do not know  how  many indices are there .....we do no know how many par are there in any index and how to automate splunk to create  line chart for each of these par showing  lkg trend across the workweeks.

@Richfez  @richgalloway  @ITWhisperer  @aljohnson_splun @PickleRick autom

Labels (2)
0 Karma

paritoshs24
Path Finder

Some Answers to the above queries .
@PickleRick 
My events may look like..the following
This is from  index 1

14/10/2022
00:59:30.000
{ [-]
 
 
 par a
 lkg 1
 target 8
 workweek ww_41_2022
  

  We have similar events for different par's  having different lkg and different targets.
Also we have multiple  such index/sources which again  contain  multiple events  like above.

@gcusello 

  • workweek is a number or a date?
    its shown  above...its a string -----a mix of numerals and alphabets

  • the cross between workweek and par is a count or the value of lkg?
    its the value of lkg.....i cant specify numbers due to data copyrights 🙂
  • the relation par-target is always 1:1?
    yes its a 1:1......... for every par we have  a lkg we have a target and a corresponding workweek.

  • par, lkg, target and workweek are all in the same event (record) in all the three indexes?
    yes  all the  multiple indices have events which contain same info like par  its target its lkg and corresponding ww info...and many other info  but  they are irrelevant  as of now.
     
  • when you say line chart, are you meaning one line chart or one for each workweek?
    When i say line chart i mean to say  the  summary that  i need to create shud  have  par/targets/and  lkg from each ww and a line chart showing how lkg is changing for each par across all workweeks.......for  my line chart y axis wud contain lkg while x axis  wud contain the ww

    parTargetww1ww2ww3line chart
    a8154 
    b9265 
    c7378 
    d6482 
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It seems you have extra information (the par value which is repeated with every event). In a context of analyziing single event it's good because it lets you do a quick check without consulting any external sources (splunk is not an RDBMS so we won't teach you about database normalization here ;-)). But seriously - what if the par value changed over time?

Anyway, it seems that what you need is an xyseries command which takes such "indexed" events and puts them over a table.

The trick here is that xyseries normally works with three fields - X-index, Y-index and value whereas in your events you have par and target which should be the "Y-index". So you'd need to combine them into one value, then do xyseries and then split them again into separate values.

Anyway, just out of curiosity - why do you have multiple indexes with the same kind of data?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @paritoshs24,

does my search work for you?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @paritoshs24,

some questions:

  • workweek is a number or a date?
  • the cross between workweek and par is a count or the value of lkg?
  • the relation par-target is always 1:1?
  • par, lkg, target and workweek are all in the same event (record) in all the three indexes?
  • when you say line chart, are you meaning one line chart or one for each workweek?

So if:

  • workweek is a number
  • the cross between workweek and par is the value of lkg
  • the relation par-target is always 1:1
  • par, lkg, target and workweek are all in the same event

you could try something like this:

<your_search>
| eval column=par."|".target
| chart values(lkg) AS lkg OVER column BY workweek

that you can display in a table or in a chart.

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

These are not your single events, are they?

Show us what your events look like.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...