Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with search to use for dashboard - link key-value pairs

neilmac64
Path Finder
‎09-05-2022 02:31 AM

Hi Folks - 

I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value changes over time. 

My data comes from a csv file and in the csv, is in this format:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:01counter_01246897
20220902-153931xx:yy:zz:aa:bb:01counter_021595

 

Further on in the same file we see the same keys for a different device by mac_address:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:02counter_01600
20220902-153931xx:yy:zz:aa:bb:02counter_021350

 

This is how the data looks in search for a single device (identified by mac_address) and a single key (counter_01) with a value of 246897.

neilmac64_0-1662370147111.png

 

 

These values are pulled via a script which runs according to a schedule, so the index will contain updated data with a new timestamp. In all there are about 20 key/value matches per device per run of the script.

What I would like to achieve:

A simple line chart that shows the values for device 1, showing the counter_01 key and how the value changes over time.

The problem I am having is understanding how to get the chart to identify the device and then show the right stat.

Once I know how to do this I'm sure I can work out how to display the other values. 

As always, I'm very grateful for any help.

NM

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 04:21 AM

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 02:52 AM

I am slightly confused by your example data and requirement - you have timestamps all the same (yet you want to show changes over time) - you have 3 mac addresses ending in 02 and 1 ending in 01 - the values for counter_01 are different, but the values for counter_02 are the same.

Charts would usually have 3 dimensions, _time / timestamp, value, series. Which of your fields represent these dimensions?

(You can use overlays to split some of the series into different scales, but the series are still the third dimension.)

0 Karma
Reply
Solved! Jump to solution

neilmac64
Path Finder
‎09-05-2022 03:29 AM

Thanks for the reply.

I have made some corrections to the original post - thanks for bearing with me.

To keep it simple, if we look for now at just mac address 1, so for a single device (ie define the mac address to display for), I would like to track the time as the x-axis. The y-axis would be the value. The dataset would be counter_01.

I hope this clears things up - thanks again for the help.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 03:42 AM 
| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key
0 Karma
Reply
Solved! Jump to solution

neilmac64
Path Finder
‎09-05-2022 03:49 AM

OK, I have this:, but no results found:

| where index=index AND key=counter_01 AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

(I added the index name)

Did I miss something?

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 04:21 AM

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...