Dashboards & Visualizations

Plot vectors against each other?

Freddler
Explorer

I'm trying to visualize some numerical data with chart but I'm not getting any results. No errors or anything but no plots either. 

the target event looks something like:

 

 

Log":[{"pressure":[0,45,976,1710,2412,3168,4207,..]},{"speed":[0,2432,3695,3611,3539,3435,3518,..]}, ...

 

 

Where the equal length vectors are what I want to visualize, either as parallel lines  or as a scatterplot against each other or whatever.  Using the code below, I've managed to extract the numbers using regular expressions and split them at the comma. Inspecting the result in the statistics tab, the values appear neatly next to eachother in what I consider to look like x- and y-vectors:

 

 

| rex "pressure\":\[(?P<pressure>[^]]{1,})"
| makemv delim="," pressure
| rex "speed\":\[(?P<speed>[^]]{1,})"
| makemv delim="," speed
| chart list(pressure), list(speed)

 

 

 (I tried using values instead of list first, but there were some identical numbers in one of the vectors which resluted in them being of different length)

In my world, I should be able to just plot these against eachother since they are the same length, but I can't find a way of doing it. 
Changing the last line to this: "| chart list(OPVPresVec) by OPVPumpSpeedVec", the entire pressure vector is mapped to every element of the speed vector, which ofcourse is nonsense.

I've tried using mvexpand after the delims but I get a similar result, with one entire vector being mapped to every element of the other. I am at a loss and have no idea what I'm doing.

Does anybody know how to solve this? Thanks in advance.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| eval points=mvzip(pressure,speed,":")
| mvexpand points
| eval points=split(points,":")
| eval pressure=mvindex(points,0)
| eval speed=mvindex(points,1)
0 Karma

Freddler
Explorer

I am indeed getting something to plot with this, thank you! However, the values (x-y-pairs) seem to have been scrambled somewhere along the line. I inserted your code between my last delim command and the chart command. Was that how it was intended?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="{\"Log\":[{\"pressure\":[0,45,976,1710,2412,3168,4207]},{\"speed\":[0,2432,3695,3611,3539,3435,3518]}]}"
| rex "pressure\":\[(?P<pressure>[^]]{1,})"
| makemv delim="," pressure
| rex "speed\":\[(?P<speed>[^]]{1,})"
| makemv delim="," speed
| eval points=mvzip(pressure,speed,":")
| mvexpand points
| eval points=split(points,":")
| eval pressure=mvindex(points,0)
| eval speed=mvindex(points,1)
| table pressure speed

This can be visualised in a line chart

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...