Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Map events using lat long

ips_mandar
Builder
‎09-29-2019 08:19 AM

Below is my sample event-

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss  longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude
29-09-2019 9:02:10 loss longitude latitude
29-09-2019 9:02:55 restore longitude latitude
29-09-2019 9:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 9:00:00 Pullout longitude latitude
...

Here I want to group startswith="pullout" to endswith="pullIn" but only take loss events where loss and restoration time is more than 1 min and exclude less than 1 min and plot loss on map using latitude and longitude.
any help will be appreciated. I tried transaction command but unable to succeed
thanks.

0 Karma
Reply

vik_splunk
Communicator
‎09-30-2019 04:21 AM

Hi ips_mandar

Can you provide more inputs on this? The way I see it, it goes along the lines of

  1. Create a transaction starting with Pullout and ending with PullIn
  2. Within the events in the transaction, compute difference between loss and restore events and retain only those where there is a loss of > 1 minute. Is that to be accumulated within a transaction?

i.e in the sample data, Should (8:02:55 - 8:02:10) 45 seconds be a separate event or accumulate losses within a transaction?

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude

Depending on the definition, the approach will change. It almost seems like a transaction within a transaction. Check out these links if that's what you are trying to achieve.

https://answers.splunk.com/answers/30980/nested-transactions.html
https://www.splunk.com/blog/2011/01/11/maintaining-state-of-the-union.html

0 Karma
Reply

ips_mandar
Builder
‎09-30-2019 11:48 PM

@vik_splunk you understand correctly I want transaction within transaction.
In above sample data I am more concern about (8:09:00 - 8:12:10) i.e. loss happening for more than 1 min. and I don't want 45 sec (8:02:55 - 8:02:10).
I wanted the loss happening for more than 1 min and neglect which are less than 1 min and then plot loss on map. How can I achieve this?
I did checked these link but unable to understand..can you please explain in my case how can I achieve it?
Thanks,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-30-2019 12:24 AM

Hi ips_mandar
try something like this:

| your_search
| transaction source startswith="loss" endswith="restore"
| where duration>60
| table duration latitude longitude

Bye.
Giuseppe

0 Karma
Reply

ips_mandar
Builder
‎09-30-2019 03:03 AM

Thanks but As I mentioned I want events falling between "PullOut" to "PullIn" only and I want to plot loss only on map.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2019 12:34 PM

Please explain "loss and restoration time". Also, what SPL have you tried already?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ips_mandar
Builder
‎09-29-2019 10:07 PM

loss and restoration time defines GPS unit lost connection and restored connection.
I tried ...|transaction source startswith="Pullout" endswith="PullIn"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...