Map events using lat long

ips_mandar · ‎09-29-2019

Below is my sample event-

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss  longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude
29-09-2019 9:02:10 loss longitude latitude
29-09-2019 9:02:55 restore longitude latitude
29-09-2019 9:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 9:00:00 Pullout longitude latitude
...

Here I want to group startswith="pullout" to endswith="pullIn" but only take loss events where loss and restoration time is more than 1 min and exclude less than 1 min and plot loss on map using latitude and longitude.
any help will be appreciated. I tried transaction command but unable to succeed
thanks.

vik_splunk · ‎09-30-2019

Hi ips_mandar

Can you provide more inputs on this? The way I see it, it goes along the lines of

Create a transaction starting with Pullout and ending with PullIn
Within the events in the transaction, compute difference between loss and restore events and retain only those where there is a loss of > 1 minute. Is that to be accumulated within a transaction?

i.e in the sample data, Should (8:02:55 - 8:02:10) 45 seconds be a separate event or accumulate losses within a transaction?

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude

Depending on the definition, the approach will change. It almost seems like a transaction within a transaction. Check out these links if that's what you are trying to achieve.

https://answers.splunk.com/answers/30980/nested-transactions.html
https://www.splunk.com/blog/2011/01/11/maintaining-state-of-the-union.html

ips_mandar · ‎09-30-2019

@vik_splunk you understand correctly I want transaction within transaction.
In above sample data I am more concern about (8:09:00 - 8:12:10) i.e. loss happening for more than 1 min. and I don't want 45 sec (8:02:55 - 8:02:10).
I wanted the loss happening for more than 1 min and neglect which are less than 1 min and then plot loss on map. How can I achieve this?
I did checked these link but unable to understand..can you please explain in my case how can I achieve it?
Thanks,

gcusello · ‎09-30-2019

Hi ips_mandar
try something like this:

| your_search
| transaction source startswith="loss" endswith="restore"
| where duration>60
| table duration latitude longitude

Bye.
Giuseppe

ips_mandar · ‎09-30-2019

Thanks but As I mentioned I want events falling between "PullOut" to "PullIn" only and I want to plot loss only on map.

richgalloway · ‎09-29-2019

Please explain "loss and restoration time". Also, what SPL have you tried already?

---
If this reply helps you, Karma would be appreciated.

ips_mandar · ‎09-29-2019

loss and restoration time defines GPS unit lost connection and restored connection.
I tried ...|transaction source startswith="Pullout" endswith="PullIn"

Map events using lat long

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!