Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I make a search string to get Real Time data from multiple *.txt files?

pascoaljo
New Member
‎09-18-2018 10:14 AM

alt textDear Team,

I'm trying to to get data from two *.txt files into a single Line Chart.

For example, with the following string, I get the data into the Line Chart:

(host=jp) source="/home/jp/pings/targets/googledns.txt" | timechart avg(time)

But, what I am trying to do is also get data from another .txt file, at the same time:

(host=jp) source="/home/jp/pings/targets/defaultGateway.txt" | timechart avg(time)

... so in one Line Chart, it would show the data from both files.

With the following string, in Real Time, it only shows sheet1 in the Line Chart:

(host=jp) source="/home/jp/pings/targets/googledns.txt" | timechart avg(time) as sheet1 |appendcols  [search (host=jp) source="/home/jp/pings/targets/defaultGateway.txt" | timechart avg(time) as sheet2]

I verified that when I change from Real Time -> 30 minute windows... to... Last 15 minutes... it shows sheet1 and sheet2.

This means that the script you provided is not for Real Time reading of data, due to it it only shows sheet1.

Could you please provide us a string that is capable to read multiple .txt files in Real Time mode?

Thank you in advance

Kind regards
JP

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 10:25 AM

How about.....

(host=jp) source="/home/jp/pings/targets/googledns.txt" OR source="/home/jp/pings/targets/defaultGateway.txt"
| timechart avg(time) by source

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 10:25 AM

How about.....

(host=jp) source="/home/jp/pings/targets/googledns.txt" OR source="/home/jp/pings/targets/defaultGateway.txt"
| timechart avg(time) by source
0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-20-2018 12:49 AM

One option could be to rename the fields after the averages has been calculated

 (host=jp) source="/home/jp/pings/targets/googledns.txt" OR source="/home/jp/pings/targets/defaultGateway.txt"
| timechart avg(time) by source
| rename /home/jp/pings/targets/googledns.txt as "Google DNS", /home/jp/pings/targets/defaultGateway.txt as "Default Gateway"
Reply
Solved! Jump to solution

pascoaljo
New Member
‎09-20-2018 09:21 AM

Hi Misvill,

I got an error with the script you provided, but with a small change, it works:

(host=jp) source="/home/jp/pings/targets/googledns.txt" OR source="/home/jp/pings/targets/defaultGateway.txt"
| timechart avg(time) by source
| rename /home/jp/pings/targets/googledns.txt as "Google DNS" | /home/jp/pings/targets/defaultGateway.txt as "Default Gateway"

If is not asking to much....

Could you please help, to get the same color in the charts, below the line chart... each one with the color of the line, in the Line Chart

Thank you for you're kind support.

Best regards
JP

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-20-2018 09:40 AM

Can you please accept the answer which has been done as ask the additional question as new question?

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-20-2018 10:22 AM

You haven't accepted my answer. You've accepted your own with the screenshot.

0 Karma
Reply
Solved! Jump to solution

pascoaljo
New Member
‎09-19-2018 10:28 AM

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

pascoaljo
New Member
‎09-18-2018 04:55 PM

Hi Msivill,

Thanks a lot, now I get data into the Line Chart from the two different .txt files.

I already tested with more .txt files, reading from them a PING -t from other locations, in Real Time and works without issues.

Maybe you could help, how to change the "Legend" of the two files that shows in the Line Chart, to a custom "Legend".

Thanks again.

Kind regards
JP

0 Karma
Reply
Solved! Jump to solution

pascoaljo
New Member
‎09-19-2018 03:57 AM

Hi Msivill

I can't find here, where to upload a screenshot.
But I can send you, if you send me the contact.

Thank you in advance.

Kind regards
JP

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-19-2018 04:04 AM

Can you edit the original question to add it there? It looks like I can add an image that is already up on the internet in this comment, but that won't help. A visual helps me get my head around the problem quicker. What text is currently appearing in the legend?

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 11:28 PM

Have you got a picture to show what you currently have?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...