Splunk Enterprise

Create a Line-Chart from an Array within a Single Event

erez10121012
Path Finder

hi,

i want to display an array by the index of the array on splunk dashboard.

i send from MATLAB software to splunk array in Single Event:

y=1,2,3,4,5,6,7,8,9,10

i want to display line chart of this y value  by the index.

thanks

Capture.JPGthanks

 

Labels (1)
Tags (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:

source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure if y is your data or your index - assuming it is data, then you need to split your data into a multi-value field and combine it with the index of the element, and split that into your x and y e.g.

| makeresults 
| eval log="y=1,2,3,4,5,6,7,8,9,10" 
| rex field=log "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y

There is probably a more elegant way of doing this!
Capture.PNG

0 Karma

erez10121012
Path Finder

1.JPG2.JPGthanks

what i need to add instead of "| eval log="y=1,2,3,4,5,6,7,8,9,10" ?

if i delete this line, it not work.

thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first 3 lines just create a result that I can work with (I don't have your data!)

Assuming you haven't already parsed your log into fields, you need to apply the rex to the _raw field

| rex field=_raw "y=(?<y>.*)"
0 Karma

erez10121012
Path Finder

still its not visualization

thanks for the help

erez10121012_0-1598361422221.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what visualisation you want - do you want a line for each original row of your data? does each row have a unique timestamp or some other way of identifying it?

0 Karma

erez10121012
Path Finder

It is not clear what visualization you want - i want what you show in the first answer. y(x)

do you want a line for each original row of your data-i want line for each event > y=1,2,3...

does each row have a unique - no. i sent the data from matlab software (y=1,2...)

thanks

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In order to get a line for each event, you can add an additional field for the row number and chart by that

| makeresults 
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" 
| makemv delim="|" event
| mvexpand event
| streamstats count as row
| fields row, event
| rex field=event "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

To explain what is going on:

Create some dummy data (obviously, you don't need to do this)

| makeresults 
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" 
| makemv delim="|" event
| mvexpand event

event is a field that represents your data.

Add a row number:

| streamstats count as row
| fields row, event

 Create an array from the event data:

| rex field=event "y=(?<y>.*)"
| makemv delim="," y 

Create an array of indexes (based on the size of array y):

| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)

Zip the index and value together, and create an event for each:

| eval xy=mvzip(index, y)
| mvexpand xy 

 Split the index and value again and keep just the index, value and original row number

| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row

Now, visualise y(x) for each row

| chart values(y) as y by x, row

 

0 Karma

erez10121012
Path Finder

thanks for the explanation.

i think my mistake is on the first step:

when i search for y i see the event but cent do statistic like in your example

what is my mistake?

thanks

erez10121012_0-1598368249917.png

 

erez10121012_1-1598368279928.pngerez10121012_2-1598368295737.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:

source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, there was a mistake in this line

| rex field=xy "(?<x>[^,]),(?<y>.*)"

It should have been:

| rex field=xy "(?<x>[^,]*),(?<y>.*)"

 This picks up values of x greater than 9 i.e. more than 1 digit

0 Karma

erez10121012
Path Finder

thank you so much😀

 

erez10121012_0-1598383147270.png

 

0 Karma

erez10121012
Path Finder

thank you. its work

if i tray to send 3 digit, i get strange results. please see the picture.

erez10121012_0-1598377887687.png

 

erez10121012_1-1598377913759.png

 

 

erez10121012_2-1598377955739.png

 

 

 

 

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...