Splunk Search

How can I extract different arrays from a field to visualise?

annie_22
New Member

Hi,

I have a text file that contains data which looks like

"x:[-0.01,0.04,0.9],y:[0.00045,0.00035,0.03],z:[0.00115,0.0012,0.001]"

Now my idea was to visualise x, y and z in a nice way(I am using the names x, y, z just for example's sake, they would be different depending on data). I got the data into Splunk and all of the data appears in field1 . I can't understand/figure out a way to get three fields from this field1, by three fields I mean x, y and z with their values respectively. I tried "extract field" but couldn't manage the way I needed.
To visualise this data in a nice representation, I must extract them from field1 but I am really clueless. Would some one please help, and guide me in the right direction. I haven't worked with Splunk before and thats why I don't have much knowledge about it yet.
I appreciate any help, thanks.

Tags (3)
0 Karma

rutdesanti
New Member

Try with this:
| eval mynewfield=case(field1 =="x:[-0.01,0.04,0.9]")

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hey annie22,

have you tried the | rex command yet?
Other than that please give us more sample data + an expected output as your explanation doesn't tell me how it should look like in the end.

Thanks,
pyro_wood

annie_22
New Member

Hi pyro_wood,
Thank you for your comment, I haven't looked into rex, didn't know about it, going to look it up.
Here is the sample file data that I have currently:

"x:[-0.014800000000000002,-0.014871794871794873,-0.015184210526315788,-0.015081081081081082,-0.01586111111111111,-0.015457142857142862,-0.015264705882352944,-0.015000000000000003,-0.014374999999999999,-0.013387096774193549,-0.010966666666666668,-0.009517241379310346,-0.007285714285714286,-0.010481481481481482,-0.00830769230769231,-0.006160000000000001,-0.006875000000000002,0.0015217391304347839,-0.0039545454545454545,-0.003809523809523809,-0.0029000000000000002,-0.0038947368421052638,-0.010555555555555556,0.006411764705882354,0.002125,-0.007933333333333332,-0.009142857142857144,-0.006153846153846153,-0.00025,-0.00009090909090909092,-0.0001,-0.00022222222222222231,0.0008749999999999999,0.0012857142857142856,-0.0003333333333333335,0.0012000000000000001,0.00075,0.0016666666666666668,0.0035,0],y:[0.00045000000000000004,0.00035897435897436035,0.0001578947368421065,0.000054054054054055205,-0.00027777777777777696,-0.00034285714285714215,0.000058823529411765954,0.00018181818181818324,-0.000031249999999998754,-0.00016129032258064402,0.0001666666666666682,-0.0005517241379310337,0.0008571428571428573,-0.0023333333333333327,0.0027692307692307712,0.001720000000000001,0.001875000000000001,0.00830434782608696,0.007000000000000001,0.005476190476190476,0.0048000000000000004,0.003473684210526318,-0.0005555555555555539,-0.005529411764705882,-0.01425,-0.009200000000000002,-0.005428571428571429,-0.0007692307692307691,-0.0013333333333333333,-0.0016363636363636365,-0.0018000000000000002,-0.002111111111111111,-0.0025,-0.002285714285714286,-0.0036666666666666666,-0.002,-0.00275,-0.0013333333333333333,0,0],z:[0.00115,0.0012307692307692308,0.0011578947368421052,0.0014054054054054058,0.001444444444444445,0.0012000000000000003,0.001411764705882353,0.001272727272727273,0.0010625,0.001064516129032258,0.0007000000000000009,0.0029999999999999996,0.003428571428571429,0.011333333333333332,0.00030769230769230835,-0.0002799999999999999,-0.008208333333333331,-0.008304347826086954,-0.005954545454545452,-0.00461904761904762,-0.00385,-0.00268421052631579,-0.0025,0.003764705882352942,0.010500000000000002,0.010000000000000002,0.006285714285714286,0.00023076923076923063,0.0016666666666666663,0.0008181818181818183,0.0009000000000000001,0.0008888888888888889,0.000625,0.00028571428571428574,0,0.0002,0.0005,0,-0.001,0]"

Sorry for not being so clear, I will try to explain, having this data in mind, when Splunk reads it from file, it shows all of it in 1 field, my problem is when I click on visualisation, I want in statistics table three columns with names x, y and z, and their data under them. I am not sure if that is even possible in Splunk.

for the sake of a smaller example if the data is:

 "x:[1,4,9,4],y:[45,35,3,0],z:[115,12,1,9]"

I want to see in statistics table as an expected result some thing like this:

alt text

Thank you!!!

0 Karma

annie_22
New Member

Oops sorry, my previous comment doesn't show the image link where I had expected result, I think because I don't have enough points so it won't let me use any hyperlink. So I will try explaining instead, I would like as expected result a table with in this case three columns, x, y and z and then their values under them. Sorry for the inconvenience.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...