Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Correlate between two source and displaying them on timechart (line)

kailun92
Communicator
‎07-10-2013 03:14 AM

I am tasked to correlate between two source (below) and displaying them on a timechart (line). Anyone has any idea how to do that ? I have got sourcetype="CurrentWeatherSGMap" and sourcetype="ltaTraffic" with the following data. What data will be best to correlate, I was thinking on count of Incidents and count of Rain and display a line chart showing the how weather can affect traffic incidents. Anyone has ideas to guide me along ? Thanks in advance !


http://datamall.mytransport.sg/LTAoDataService.svc/IncidentSet(2890113)
(10/7)16:34 Heavy Traffic on CTE (towards SLE) between Merchant Rd Exit and Moulmein Rd Exit.


2013-07-10T10:10:28Z







2890113/d:IncidentID
(10/7)16:34 Heavy Traffic on CTE (towards SLE) between Merchant Rd Exit and Moulmein Rd Exit./d:Message
1.3214362736951211/d:Latitude
103.85607307663071/d:Longitude
Heavy Traffic/d:Type

2013-07-10T10:06:05.277/d:CreateDate
0/d:Distance
/m:properties

1.3214362736951211/geo:lat
103.85607307663071/geo:long

and this

2013-07-10T10:05:51Z







1317369/d:NowcastID
Woodlands/d:Area
Partly Cloudy/d:Condition
1.44043052/d:Latitude
103.7878418/d:Longitude

Partly Cloudy/d:Summary
0/d:Distance

Reply
1 Solution
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎07-14-2013 07:22 PM

You can specify multiple fields to do a timechart count.

For example:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic  |  timechart count(incident) as Incident count(rain) as Rain

This would produce a graph of the count of incidents versus the rain over time. However, you would need to make sure you had the fields extracted correctly. For example, you would want to make sure that if rain was in your event that you created a field called rain. The same would be true for incidents. Your data is XML so you should have some luck using either KV_MODE or xmlkv to extract out fields from the events.

If you want to learn more about field extraction you can start here:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

View solution in original post

Reply
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎07-14-2013 07:22 PM

You can specify multiple fields to do a timechart count.

For example:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic  |  timechart count(incident) as Incident count(rain) as Rain

This would produce a graph of the count of incidents versus the rain over time. However, you would need to make sure you had the fields extracted correctly. For example, you would want to make sure that if rain was in your event that you created a field called rain. The same would be true for incidents. Your data is XML so you should have some luck using either KV_MODE or xmlkv to extract out fields from the events.

If you want to learn more about field extraction you can start here:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

Reply
Solved! Jump to solution

kailun92
Communicator
‎07-14-2013 07:26 PM

thank you !

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-14-2013 06:42 PM

It is the count of event, how can I do a time-charting between two sources ?

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-10-2013 04:51 PM

Not sure if I got what you are after, but what about searching for both sourcetypes and then timecharting both counts? when you talk about reporting on a count of incidents and rain, do you have those values in a field or is it just the count of events??

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...