Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to chart a .csv file
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to chart a .csv file
gmelasecca
Engager
09-03-2015
12:12 PM
I have a CSV file which runs every 5 minutes and gathers data from separate data sources. A sample of what is compiled in Splunk is below. What I'm looking to do is chart the data into each of its own columns / rows, then sort the columns by whichever we choose. The main data we will need to pull from the .csv is in bold. As you can see, the columns in the script add the column names such as ''PollTime, Server Name, QueueName etc".
PollTime, Server Name, QueueName, Display Name, value
2015-09-03 15:01:27 All, All, All, All
PollTime, Server Name, QueueName, Display Name, value
2015-09-03 14:59:42 All, All, All, All
2015-09-03 14:01:26, SERVER1.main.corp.int, SERVER.C1.DG1.DGREQ, Consumer Count, 60
2015-09-03 14:01:24, SERVER2.main.corp.int, SERVER.C2.DG2.DGREQ, Consumer Count, 0
2015-09-03 14:01:23, SERVER3.main.corp.int, SERVER.C3.DG1.DGREQ, Consumer Count, 15
2015-09-03 14:01:22, SERVER4.main.corp.int, SERVER.C4.DG2.DGREQ, Consumer Count, 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lcrielaa
Communicator
09-10-2015
12:58 AM
Use multikv to separate the data and then use the new values for your chart/timechart.
index=... sourcetype=... | multikv fields PollTime, "Server Name", QueueName, "Display Name", value | timechart avg(value) by "Server Name"
You might have to tweak the above query a bit but that should get you started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-03-2015
02:08 PM
Is the data already ingested in Splunk??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gmelasecca
Engager
09-08-2015
06:40 AM
Yes the data is already in splunk. above is what splunk is outputting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkoops
Path Finder
09-09-2015
07:46 AM
And is each line in your example a different event? Because then you should just make a field extraction (or alternatively use rex-command in search) and use a table command to make the chart you want.
If Splunk, for some reason, throws it all in one event you might want to check the props.conf file if he is breaking events correctly.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
