Solved: How To Draw Line Charts Of Sensors Data (splitter ...

yshen · ‎09-16-2020

I have the following data samples:

Temperature=82.4, Location=xxx.165.152.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.154.21, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.162.22, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.164.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.2, Location=xxx.165.170.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.208.12, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=73.4, Location=xxx.165.224.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.3, Location=xxx.165.52.13, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=77.9, Location=xxx.165.52.14, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=76.3, Location=xxx.165.54.24, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=73.8, Location=xxx.165.36.21, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor

I'd like to draw line graphs of the `Temperature` over `Time`, splitted by `Location` (for individual sensor),
and I'd like to have a way to label the curves of `Locations`, by the value of `Type` (UPS or TempSensor), label, or legend, etc.
I'd also like to be able to filter selectively showing by `Type's` value and/or by certain `Location`.

So far, I figured out that I may be able to do the following:

| xyseries Time, Location, Temperature

but I am yet to figure out how to provide the labeling by `Type`, and filtering by `Type`, and `Location`.

ITWhisperer · ‎09-16-2020

Hi @yshen

Start here for creating and editing forms.

An example of what I have done is this

Where I can select what I want the chart to show (this might be just temperature in your case so perhaps not so relevant), but I can select the field I want to filter on (location or type in your case). Then depending on the filter, the choice in the third input is a multi-select populated with dedup'd values of the filter

    <panel>
      <input type="dropdown" token="dimension">
        <label>Select Dimension</label>
        <choice value="Consumer">Consumer</choice>
---
        <default>Consumer</default>
      </input>
      <input type="dropdown" token="filter">
        <label>Select Filter</label>
        <choice value="Service">Service</choice>
---
        <default>Service</default>
      </input>
      <input type="multiselect" token="selector">
        <label>Select one or more $filter$</label>
        <choice value="All">All</choice>
        <search>
          <query>search data | dedup $filter$ | fields $filter$</query>
        </search>
        <fieldForLabel>$filter$</fieldForLabel>
        <fieldForValue>$filter$</fieldForValue>
        <prefix>(</prefix>
        <valuePrefix>$filter$ ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
        <default>All</default>
        <change>
          <eval token="form.selector">case(mvcount('form.selector')=0,"All",mvcount('form.selector')&gt;1 AND mvfind('form.selector',"All")&gt;0,"All",mvcount('form.selector')&gt;1 AND mvfind('form.selector',"All")=0,mvfilter('form.selector'!="All"),1==1,'form.selector')</eval>
          <eval token="selector_choice">if(mvfind('form.selector',"All")=0,$filter$+"=*",$selector$)</eval>
        </change>
      </input>
      <chart>
        <title>Graph by $dimension$</title>
        <search>
          <query>search data $selector_choice$ | stats count by _time, $dimension$</query>
        </search>
---
      </chart>
    </panel>
  </row>

View solution in original post

yshen · ‎09-16-2020

@ITWhisperer Your suggestion sounds interesting.

How do I create such input panel with dropdowns with Splunk?

How do I create charts with the selected dropdown values?

So far, I only learned some query language. Some pointer or example, would be appreciated.

Thanks!

ITWhisperer · ‎09-16-2020

Hi @yshen

Start here for creating and editing forms.

An example of what I have done is this

Where I can select what I want the chart to show (this might be just temperature in your case so perhaps not so relevant), but I can select the field I want to filter on (location or type in your case). Then depending on the filter, the choice in the third input is a multi-select populated with dedup'd values of the filter

    <panel>
      <input type="dropdown" token="dimension">
        <label>Select Dimension</label>
        <choice value="Consumer">Consumer</choice>
---
        <default>Consumer</default>
      </input>
      <input type="dropdown" token="filter">
        <label>Select Filter</label>
        <choice value="Service">Service</choice>
---
        <default>Service</default>
      </input>
      <input type="multiselect" token="selector">
        <label>Select one or more $filter$</label>
        <choice value="All">All</choice>
        <search>
          <query>search data | dedup $filter$ | fields $filter$</query>
        </search>
        <fieldForLabel>$filter$</fieldForLabel>
        <fieldForValue>$filter$</fieldForValue>
        <prefix>(</prefix>
        <valuePrefix>$filter$ ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
        <default>All</default>
        <change>
          <eval token="form.selector">case(mvcount('form.selector')=0,"All",mvcount('form.selector')&gt;1 AND mvfind('form.selector',"All")&gt;0,"All",mvcount('form.selector')&gt;1 AND mvfind('form.selector',"All")=0,mvfilter('form.selector'!="All"),1==1,'form.selector')</eval>
          <eval token="selector_choice">if(mvfind('form.selector',"All")=0,$filter$+"=*",$selector$)</eval>
        </change>
      </input>
      <chart>
        <title>Graph by $dimension$</title>
        <search>
          <query>search data $selector_choice$ | stats count by _time, $dimension$</query>
        </search>
---
      </chart>
    </panel>
  </row>

alemarzu · ‎09-16-2020

Hi there @yshen

Im not sure if this is what you are looking for tho.

Assuming that your timestamps are the same as your Time field.

...base search...
| eval varLoc=Location."-".Type
| chart values(Temperature) as Temperature over varLoc by _time

Hope it helps.

yshen · ‎09-16-2020

@alemarzu Thanks for the suggestion. I'll try. This solution might not support the functionality of selecting by Type, for example, I want the user to be able to view locations of Type value "UPS".

ITWhisperer · ‎09-16-2020

Create an input panel with a dropdown giving you options for type (include All as option). Use the dropdown to set up a token that you put into your search for your location graph.

Do a similar thing for the locations for your type graph

You could combine the tokens so the graph is filtered on both type and location.

You can have another dropdown to select which dimension you want in your graph

How To Draw Line Charts Of Sensors Data (splitter by a field, labeled by another, and filtered by the both fields)

chart

timechart

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?