Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to chart a .csv file

gmelasecca
Engager
‎09-03-2015 12:12 PM

I have a CSV file which runs every 5 minutes and gathers data from separate data sources. A sample of what is compiled in Splunk is below. What I'm looking to do is chart the data into each of its own columns / rows, then sort the columns by whichever we choose. The main data we will need to pull from the .csv is in bold. As you can see, the columns in the script add the column names such as ''PollTime, Server Name, QueueName etc".

PollTime, Server Name, QueueName, Display Name, value
2015-09-03 15:01:27 All, All, All, All
PollTime, Server Name, QueueName, Display Name, value
2015-09-03 14:59:42 All, All, All, All
2015-09-03 14:01:26, SERVER1.main.corp.int, SERVER.C1.DG1.DGREQ, Consumer Count, 60
2015-09-03 14:01:24, SERVER2.main.corp.int, SERVER.C2.DG2.DGREQ, Consumer Count, 0
2015-09-03 14:01:23, SERVER3.main.corp.int, SERVER.C3.DG1.DGREQ, Consumer Count, 15
2015-09-03 14:01:22, SERVER4.main.corp.int, SERVER.C4.DG2.DGREQ, Consumer Count, 0

Tags (2)
0 Karma
Reply

lcrielaa
Communicator
‎09-10-2015 12:58 AM

Use multikv to separate the data and then use the new values for your chart/timechart.

index=... sourcetype=... | multikv fields PollTime, "Server Name", QueueName, "Display Name", value | timechart avg(value) by "Server Name"

You might have to tweak the above query a bit but that should get you started.

0 Karma
Reply

somesoni2
Revered Legend
‎09-03-2015 02:08 PM

Is the data already ingested in Splunk??

0 Karma
Reply

gmelasecca
Engager
‎09-08-2015 06:40 AM

Yes the data is already in splunk. above is what splunk is outputting.

0 Karma
Reply

dkoops
Path Finder
‎09-09-2015 07:46 AM

And is each line in your example a different event? Because then you should just make a field extraction (or alternatively use rex-command in search) and use a table command to make the chart you want.

If Splunk, for some reason, throws it all in one event you might want to check the props.conf file if he is breaking events correctly.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top