Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Plot vectors against each other?

Freddler
Explorer
‎05-28-2021 05:28 AM

I'm trying to visualize some numerical data with chart but I'm not getting any results. No errors or anything but no plots either. 

the target event looks something like:

 

 

Log":[{"pressure":[0,45,976,1710,2412,3168,4207,..]},{"speed":[0,2432,3695,3611,3539,3435,3518,..]}, ...

 

 

Where the equal length vectors are what I want to visualize, either as parallel lines  or as a scatterplot against each other or whatever.  Using the code below, I've managed to extract the numbers using regular expressions and split them at the comma. Inspecting the result in the statistics tab, the values appear neatly next to eachother in what I consider to look like x- and y-vectors:

 

 

| rex "pressure\":\[(?P<pressure>[^]]{1,})"
| makemv delim="," pressure
| rex "speed\":\[(?P<speed>[^]]{1,})"
| makemv delim="," speed
| chart list(pressure), list(speed)

 

 

 (I tried using values instead of list first, but there were some identical numbers in one of the vectors which resluted in them being of different length)

In my world, I should be able to just plot these against eachother since they are the same length, but I can't find a way of doing it. 
Changing the last line to this: "| chart list(OPVPresVec) by OPVPumpSpeedVec", the entire pressure vector is mapped to every element of the speed vector, which ofcourse is nonsense.

I've tried using mvexpand after the delims but I get a similar result, with one entire vector being mapped to every element of the other. I am at a loss and have no idea what I'm doing.

Does anybody know how to solve this? Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-28-2021 05:36 AM

Something like this?

| eval points=mvzip(pressure,speed,":")
| mvexpand points
| eval points=split(points,":")
| eval pressure=mvindex(points,0)
| eval speed=mvindex(points,1)
0 Karma
Reply

Freddler
Explorer
‎05-28-2021 06:20 AM

I am indeed getting something to plot with this, thank you! However, the values (x-y-pairs) seem to have been scrambled somewhere along the line. I inserted your code between my last delim command and the chart command. Was that how it was intended?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-28-2021 06:26 AM 
| makeresults
| eval _raw="{\"Log\":[{\"pressure\":[0,45,976,1710,2412,3168,4207]},{\"speed\":[0,2432,3695,3611,3539,3435,3518]}]}"
| rex "pressure\":\[(?P<pressure>[^]]{1,})"
| makemv delim="," pressure
| rex "speed\":\[(?P<speed>[^]]{1,})"
| makemv delim="," speed
| eval points=mvzip(pressure,speed,":")
| mvexpand points
| eval points=split(points,":")
| eval pressure=mvindex(points,0)
| eval speed=mvindex(points,1)
| table pressure speed

This can be visualised in a line chart

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...