hi,
i want to display an array by the index of the array on splunk dashboard.
i send from MATLAB software to splunk array in Single Event:
y=1,2,3,4,5,6,7,8,9,10
i want to display line chart of this y value by the index.
thanks
thanks
The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:
source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row
Not sure if y is your data or your index - assuming it is data, then you need to split your data into a multi-value field and combine it with the index of the element, and split that into your x and y e.g.
| makeresults
| eval log="y=1,2,3,4,5,6,7,8,9,10"
| rex field=log "y=(?<y>.*)"
| makemv delim="," y
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y
There is probably a more elegant way of doing this!
thanks
what i need to add instead of "| eval log="y=1,2,3,4,5,6,7,8,9,10" ?
if i delete this line, it not work.
thanks
The first 3 lines just create a result that I can work with (I don't have your data!)
Assuming you haven't already parsed your log into fields, you need to apply the rex to the _raw field
| rex field=_raw "y=(?<y>.*)"
still its not visualization
thanks for the help
It is not clear what visualisation you want - do you want a line for each original row of your data? does each row have a unique timestamp or some other way of identifying it?
It is not clear what visualization you want - i want what you show in the first answer. y(x)
do you want a line for each original row of your data-i want line for each event > y=1,2,3...
does each row have a unique - no. i sent the data from matlab software (y=1,2...)
thanks
In order to get a line for each event, you can add an additional field for the row number and chart by that
| makeresults
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13"
| makemv delim="|" event
| mvexpand event
| streamstats count as row
| fields row, event
| rex field=event "y=(?<y>.*)"
| makemv delim="," y
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row
To explain what is going on:
Create some dummy data (obviously, you don't need to do this)
| makeresults
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13"
| makemv delim="|" event
| mvexpand event
event is a field that represents your data.
Add a row number:
| streamstats count as row
| fields row, event
Create an array from the event data:
| rex field=event "y=(?<y>.*)"
| makemv delim="," y
Create an array of indexes (based on the size of array y):
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
Zip the index and value together, and create an event for each:
| eval xy=mvzip(index, y)
| mvexpand xy
Split the index and value again and keep just the index, value and original row number
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
Now, visualise y(x) for each row
| chart values(y) as y by x, row
thanks for the explanation.
i think my mistake is on the first step:
when i search for y i see the event but cent do statistic like in your example
what is my mistake?
thanks
The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:
source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row
Sorry, there was a mistake in this line
| rex field=xy "(?<x>[^,]),(?<y>.*)"
It should have been:
| rex field=xy "(?<x>[^,]*),(?<y>.*)"
This picks up values of x greater than 9 i.e. more than 1 digit
thank you so much😀
thank you. its work
if i tray to send 3 digit, i get strange results. please see the picture.