Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to chart a .csv file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to chart a .csv file
I have a CSV file which runs every 5 minutes and gathers data from separate data sources. A sample of what is compiled in Splunk is below. What I'm looking to do is chart the data into each of its own columns / rows, then sort the columns by whichever we choose. The main data we will need to pull from the .csv is in bold. As you can see, the columns in the script add the column names such as ''PollTime, Server Name, QueueName etc".
PollTime, Server Name, QueueName, Display Name, value
2015-09-03 15:01:27 All, All, All, All
PollTime, Server Name, QueueName, Display Name, value
2015-09-03 14:59:42 All, All, All, All
2015-09-03 14:01:26, SERVER1.main.corp.int, SERVER.C1.DG1.DGREQ, Consumer Count, 60
2015-09-03 14:01:24, SERVER2.main.corp.int, SERVER.C2.DG2.DGREQ, Consumer Count, 0
2015-09-03 14:01:23, SERVER3.main.corp.int, SERVER.C3.DG1.DGREQ, Consumer Count, 15
2015-09-03 14:01:22, SERVER4.main.corp.int, SERVER.C4.DG2.DGREQ, Consumer Count, 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use multikv to separate the data and then use the new values for your chart/timechart.
index=... sourcetype=... | multikv fields PollTime, "Server Name", QueueName, "Display Name", value | timechart avg(value) by "Server Name"
You might have to tweak the above query a bit but that should get you started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data already ingested in Splunk??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes the data is already in splunk. above is what splunk is outputting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And is each line in your example a different event? Because then you should just make a field extraction (or alternatively use rex-command in search) and use a table command to make the chart you want.
If Splunk, for some reason, throws it all in one event you might want to check the props.conf file if he is breaking events correctly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
