Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create a Line-Chart from an Array within a Single Event

hbrandt84
Path Finder
‎05-03-2017 03:24 PM

Hi everybody,
I'm trying wrap my head around chart visualizations with Splunk.
As a Start i'm working with machine data that represents power consumption of a motor over time during one integral action.
the resulting JSON event looks kinda like this:

{   [-] 
     motor_name:     prod_50cal 
     client:         defense_arc    
     start-event:    true
     tech_data: {   [-] 
         power_curve_real:  [   [-] 
         4.01   
         3.08
         3.32   
         ...
         4.17   
         5.69
         6.45
         5.85
        ]   
         direction:  mount  
         power_curve_limit: [   [+] 
        ]   
    }   
     message_type:   mounting_start
     timestamp:  2017-04-11 23:49:34    
}

The "..." cuts the content here for visual reasons, as there are 100 values in each "power_curve_real: []".
Every example and Discussion about visualization in Splunk dashboards i've seen concern using one value from every event und unify them in a chart.
In my case i try to transform every event into a single line of a linechart. Plus, i want to show a "trendline" - an average of all shown lines.
My Main logical Problem is the definition of the X-Axis and Y-Axis...
My power-data entries are obviously my values for the Y-Axis, but the X-Axis is still undefined, as it needs to have the array index "1,2,3 ... 98,99,100" as discription. (but this index does not exist as literals within the event...)

I'm totally clueless as i have not found any commands that are suitable for this kind of event.
I'm thankful and open for any suggestions...

0 Karma
Reply

niketn
Legend
‎05-03-2017 08:52 PM

If you extract power_curve_real as multivalued field using the spath command, then you can use mvexpand to create single event for each of the values of power_curve_real.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

hbrandt84
Path Finder
‎05-04-2017 02:50 PM

Yeah, I had already seen that command and I got the concept of dividing a single event into individual events. But I still don't see the benefit over multiple events. Is this nescessary for the visualisation to have each X/Y value pair in a seperate event?

0 Karma
Reply

DalJeanis
Legend
‎05-03-2017 08:20 PM

The command you are looking for is spath.

After you extract the array of values from the JSON into a multivalue field with that command, you are going to want to use mvexpand to turn each individual value of that field into an individual record.

What you need will be pretty close to what I did in the answer for this one, and what I posted there was run-anywhere code. My answer hasn't been approved yet, but when it appears you can play with it line by line and see what each command does. Modifying it for your own needs should not be too difficult.

https://answers.splunk.com/answers/525678/parse-json-series-data-into-a-chart.html

You will have to determine whatever makes sense to do with the _time of each record, but to start your viz, just use a command something like this.

(after you've splilt up the records)
| streamstats count as mycount
| eval _time =now()+mycount

That will give each one, in order, a different time by 1 second, which is enough so that everything doesn't all happen at once. 😉

Reply

hbrandt84
Path Finder
‎05-04-2017 03:55 PM

Okay, thanks for your response. I was especially looking for spl ideas that create X/Y axis value parts - and the mvzip approach might do the trick! Tomorrow I will try to apply this to my approach.

Reply

DalJeanis
Legend
‎05-04-2017 04:53 PM

Oh, here's another useful item: mvrange(A,B,C) where A, B, and C are numbers or variables that equate to numbers, creates an mv field that starts at A and proceeds by step C until it is greater than or equal to B. C(defaults to 1.

For example, mvrange(1,11,2) is equivalent to mvappend(1,3,5,7,9)

So, for example, assuming that PowerCurveReal and PowerCurveLimit always have the same number of readings, you could say...

| eval readings=mvrange(1,mvcount (PowerCurveReal))
| eval readings=mvzip(readings,mvzip(PowerCurveReal,PowerCurveLimit,"!!!!"),"!!!!")

...and then you would have them all zipped together with a delimiter that won't ever appear in the data, in a way you can turn each composite reading into a single record.

0 Karma
Reply

adonio
Ultra Champion
‎05-03-2017 08:00 PM

hello there,
can you kindly show how the even looks in Splunk?
if its a mutlivalue field that contains 100 numeric values, you can manipulate it as shown here: https://docs.splunk.com/Documentation/Splunk/6.5.3/Search/Parsemultivaluefields
hope its a start

0 Karma
Reply

hbrandt84
Path Finder
‎05-04-2017 02:53 PM

Thanks for your suggestion - it follows the same concept as niketnilays' suggestion, as I have problems in seeing the benefit of splitting my event up to smaller ones... But what do mean with "how the even looks"? I copied (and slightly edited) the event straight from the search app (highlighted)... Do you mean the raw event text?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...