Splunk Search

How can I extract different arrays from a field to visualise?

annie_22
New Member

Hi,

I have a text file that contains data which looks like

"x:[-0.01,0.04,0.9],y:[0.00045,0.00035,0.03],z:[0.00115,0.0012,0.001]"

Now my idea was to visualise x, y and z in a nice way(I am using the names x, y, z just for example's sake, they would be different depending on data). I got the data into Splunk and all of the data appears in field1 . I can't understand/figure out a way to get three fields from this field1, by three fields I mean x, y and z with their values respectively. I tried "extract field" but couldn't manage the way I needed.
To visualise this data in a nice representation, I must extract them from field1 but I am really clueless. Would some one please help, and guide me in the right direction. I haven't worked with Splunk before and thats why I don't have much knowledge about it yet.
I appreciate any help, thanks.

Tags (3)
0 Karma

rutdesanti
New Member

Try with this:
| eval mynewfield=case(field1 =="x:[-0.01,0.04,0.9]")

0 Karma

horsefez
Motivator

Hey annie22,

have you tried the | rex command yet?
Other than that please give us more sample data + an expected output as your explanation doesn't tell me how it should look like in the end.

Thanks,
pyro_wood

annie_22
New Member

Hi pyro_wood,
Thank you for your comment, I haven't looked into rex, didn't know about it, going to look it up.
Here is the sample file data that I have currently:

"x:[-0.014800000000000002,-0.014871794871794873,-0.015184210526315788,-0.015081081081081082,-0.01586111111111111,-0.015457142857142862,-0.015264705882352944,-0.015000000000000003,-0.014374999999999999,-0.013387096774193549,-0.010966666666666668,-0.009517241379310346,-0.007285714285714286,-0.010481481481481482,-0.00830769230769231,-0.006160000000000001,-0.006875000000000002,0.0015217391304347839,-0.0039545454545454545,-0.003809523809523809,-0.0029000000000000002,-0.0038947368421052638,-0.010555555555555556,0.006411764705882354,0.002125,-0.007933333333333332,-0.009142857142857144,-0.006153846153846153,-0.00025,-0.00009090909090909092,-0.0001,-0.00022222222222222231,0.0008749999999999999,0.0012857142857142856,-0.0003333333333333335,0.0012000000000000001,0.00075,0.0016666666666666668,0.0035,0],y:[0.00045000000000000004,0.00035897435897436035,0.0001578947368421065,0.000054054054054055205,-0.00027777777777777696,-0.00034285714285714215,0.000058823529411765954,0.00018181818181818324,-0.000031249999999998754,-0.00016129032258064402,0.0001666666666666682,-0.0005517241379310337,0.0008571428571428573,-0.0023333333333333327,0.0027692307692307712,0.001720000000000001,0.001875000000000001,0.00830434782608696,0.007000000000000001,0.005476190476190476,0.0048000000000000004,0.003473684210526318,-0.0005555555555555539,-0.005529411764705882,-0.01425,-0.009200000000000002,-0.005428571428571429,-0.0007692307692307691,-0.0013333333333333333,-0.0016363636363636365,-0.0018000000000000002,-0.002111111111111111,-0.0025,-0.002285714285714286,-0.0036666666666666666,-0.002,-0.00275,-0.0013333333333333333,0,0],z:[0.00115,0.0012307692307692308,0.0011578947368421052,0.0014054054054054058,0.001444444444444445,0.0012000000000000003,0.001411764705882353,0.001272727272727273,0.0010625,0.001064516129032258,0.0007000000000000009,0.0029999999999999996,0.003428571428571429,0.011333333333333332,0.00030769230769230835,-0.0002799999999999999,-0.008208333333333331,-0.008304347826086954,-0.005954545454545452,-0.00461904761904762,-0.00385,-0.00268421052631579,-0.0025,0.003764705882352942,0.010500000000000002,0.010000000000000002,0.006285714285714286,0.00023076923076923063,0.0016666666666666663,0.0008181818181818183,0.0009000000000000001,0.0008888888888888889,0.000625,0.00028571428571428574,0,0.0002,0.0005,0,-0.001,0]"

Sorry for not being so clear, I will try to explain, having this data in mind, when Splunk reads it from file, it shows all of it in 1 field, my problem is when I click on visualisation, I want in statistics table three columns with names x, y and z, and their data under them. I am not sure if that is even possible in Splunk.

for the sake of a smaller example if the data is:

 "x:[1,4,9,4],y:[45,35,3,0],z:[115,12,1,9]"

I want to see in statistics table as an expected result some thing like this:

alt text

Thank you!!!

0 Karma

annie_22
New Member

Oops sorry, my previous comment doesn't show the image link where I had expected result, I think because I don't have enough points so it won't let me use any hyperlink. So I will try explaining instead, I would like as expected result a table with in this case three columns, x, y and z and then their values under them. Sorry for the inconvenience.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...