Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I find the latest value of multiple paramet...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data from multiple sensors comes into SPlunk though a single DB connection as:
SensorId ParamA ParamB ParamC
1 33 92 79
2 39 87 91
3 42 84 99
Each row indexes as a different event in Splunk with same timestamp and different SensorId
I want to display the latest values of each parameter against each sensor Id and my search query is as follows:
sourcetype=aaa source=bbb | head 3|SensorId table ParamA ParamB ParamC | sort SensorId
It seems to work fine but I am not sure if it will work fine if one of the sensors stops to send data, please suggest a possible workaround to display Zero in such case
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try running stats for a specific period. Whichever Sensor is not listed you will not get in result.
sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| stats count last(ParamA) as LastParamA last(ParamB) as LastParamB last(ParamC) as LastParamC by SensorId
You can also run a timechart (only count will be meaningful). However, you will come to know if any sensor stops sending data and how ling have they not been sending.
sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| timechart count by SensorId
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try running stats for a specific period. Whichever Sensor is not listed you will not get in result.
sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| stats count last(ParamA) as LastParamA last(ParamB) as LastParamB last(ParamC) as LastParamC by SensorId
You can also run a timechart (only count will be meaningful). However, you will come to know if any sensor stops sending data and how ling have they not been sending.
sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| timechart count by SensorId
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you niketnilay!
The time chart option is indeed helpful, but I have more than 20 sensors and it shows me the individual data for only 10 and rest as others. Is there any way to find the data for all 15 to 20 sensors or more if any?
Also, is there a way to identify the parameter for which the data is not being sent and display it in the same time chart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert to the following. Timechart limits series to be plotted to 10 so that visualization is not too messy. However, if you know that you have just 20 sensors following should work
| timechart count by SensorId useother=f limit=20
Alternatively, you can also set limit=0 to show n number of series.
| makeresults | eval message= "Happy Splunking!!!"
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
