Splunk Enterprise

Create a Line-Chart from an Array within a Single Event

erez10121012
Path Finder

hi,

i want to display an array by the index of the array on splunk dashboard.

i send from MATLAB software to splunk array in Single Event:

y=1,2,3,4,5,6,7,8,9,10

i want to display line chart of this y value  by the index.

thanks

Capture.JPGthanks

 

Labels (1)
Tags (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:

source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure if y is your data or your index - assuming it is data, then you need to split your data into a multi-value field and combine it with the index of the element, and split that into your x and y e.g.

| makeresults 
| eval log="y=1,2,3,4,5,6,7,8,9,10" 
| rex field=log "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y

There is probably a more elegant way of doing this!
Capture.PNG

0 Karma

erez10121012
Path Finder

1.JPG2.JPGthanks

what i need to add instead of "| eval log="y=1,2,3,4,5,6,7,8,9,10" ?

if i delete this line, it not work.

thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first 3 lines just create a result that I can work with (I don't have your data!)

Assuming you haven't already parsed your log into fields, you need to apply the rex to the _raw field

| rex field=_raw "y=(?<y>.*)"
0 Karma

erez10121012
Path Finder

still its not visualization

thanks for the help

erez10121012_0-1598361422221.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what visualisation you want - do you want a line for each original row of your data? does each row have a unique timestamp or some other way of identifying it?

0 Karma

erez10121012
Path Finder

It is not clear what visualization you want - i want what you show in the first answer. y(x)

do you want a line for each original row of your data-i want line for each event > y=1,2,3...

does each row have a unique - no. i sent the data from matlab software (y=1,2...)

thanks

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In order to get a line for each event, you can add an additional field for the row number and chart by that

| makeresults 
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" 
| makemv delim="|" event
| mvexpand event
| streamstats count as row
| fields row, event
| rex field=event "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

To explain what is going on:

Create some dummy data (obviously, you don't need to do this)

| makeresults 
| eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" 
| makemv delim="|" event
| mvexpand event

event is a field that represents your data.

Add a row number:

| streamstats count as row
| fields row, event

 Create an array from the event data:

| rex field=event "y=(?<y>.*)"
| makemv delim="," y 

Create an array of indexes (based on the size of array y):

| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)

Zip the index and value together, and create an event for each:

| eval xy=mvzip(index, y)
| mvexpand xy 

 Split the index and value again and keep just the index, value and original row number

| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row

Now, visualise y(x) for each row

| chart values(y) as y by x, row

 

0 Karma

erez10121012
Path Finder

thanks for the explanation.

i think my mistake is on the first step:

when i search for y i see the event but cent do statistic like in your example

what is my mistake?

thanks

erez10121012_0-1598368249917.png

 

erez10121012_1-1598368279928.pngerez10121012_2-1598368295737.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first part just generates some data, but you already have your events sent from matlab in the _raw field (the column is displayed as Events but the data is in a field called _raw). Your full query should look something like this:

source="tcp:515"
| streamstats count as row
| fields row, _raw
| rex field=_raw "y=(?<y>.*)"
| makemv delim="," y 
| eval size=mvcount(y)
| eval index=mvrange(0, size, 1)
| eval xy=mvzip(index, y)
| mvexpand xy 
| rex field=xy "(?<x>[^,]),(?<y>.*)"
| fields x,y,row
| chart values(y) as y by x, row

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, there was a mistake in this line

| rex field=xy "(?<x>[^,]),(?<y>.*)"

It should have been:

| rex field=xy "(?<x>[^,]*),(?<y>.*)"

 This picks up values of x greater than 9 i.e. more than 1 digit

0 Karma

erez10121012
Path Finder

thank you so much😀

 

erez10121012_0-1598383147270.png

 

0 Karma

erez10121012
Path Finder

thank you. its work

if i tray to send 3 digit, i get strange results. please see the picture.

erez10121012_0-1598377887687.png

 

erez10121012_1-1598377913759.png

 

 

erez10121012_2-1598377955739.png

 

 

 

 

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...