Splunk Search

Help with search to use for dashboard - link key-value pairs

neilmac64
Path Finder

Hi Folks - 

I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value changes over time. 

My data comes from a csv file and in the csv, is in this format:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:01counter_01246897
20220902-153931xx:yy:zz:aa:bb:01counter_021595

 

Further on in the same file we see the same keys for a different device by mac_address:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:02counter_01600
20220902-153931xx:yy:zz:aa:bb:02counter_021350

 

This is how the data looks in search for a single device (identified by mac_address) and a single key (counter_01) with a value of 246897.

neilmac64_0-1662370147111.png

 

 

These values are pulled via a script which runs according to a schedule, so the index will contain updated data with a new timestamp. In all there are about 20 key/value matches per device per run of the script.

What I would like to achieve:

A simple line chart that shows the values for device 1, showing the counter_01 key and how the value changes over time.

The problem I am having is understanding how to get the chart to identify the device and then show the right stat.

Once I know how to do this I'm sure I can work out how to display the other values. 

As always, I'm very grateful for any help.

NM

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

I am slightly confused by your example data and requirement - you have timestamps all the same (yet you want to show changes over time) - you have 3 mac addresses ending in 02 and 1 ending in 01 - the values for counter_01 are different, but the values for counter_02 are the same.

Charts would usually have 3 dimensions, _time / timestamp, value, series. Which of your fields represent these dimensions?

(You can use overlays to split some of the series into different scales, but the series are still the third dimension.)

0 Karma

neilmac64
Path Finder

Thanks for the reply.

I have made some corrections to the original post - thanks for bearing with me.

To keep it simple, if we look for now at just mac address 1, so for a single device (ie define the mac address to display for), I would like to track the time as the x-axis. The y-axis would be the value. The dataset would be counter_01.

I hope this clears things up - thanks again for the help.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key
0 Karma

neilmac64
Path Finder

OK, I have this:, but no results found:

| where index=index AND key=counter_01 AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

(I added the index name)

Did I miss something?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...