Re: Visualization

kirthika26 · ‎04-03-2023

How to represent good visualization with the following fields

DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( 2020-02-05 02:04:45) and Total_Days ( 2)

Total Days is the difference between Software Version Release Date and Software Version last timestamp.

Chart should cover all fields

gcusello · ‎04-03-2023

Hi @kirthika26,

are all the information in one event or in different events from different data sources?

could you share a sample of these events, eventually one or two from each data source?

because if they are in one event, you have only to display them using table and calculating the Total Days using eval.

If instead (as I suppose) they are in different data sources I have to correlate them.

Ciao.

Giuseppe

kirthika26 · ‎04-03-2023

Attached sample gcusello.

all from same sources

gcusello · ‎04-03-2023

Hi @kirthika26,

sorry, I wasn't clear: I need some sample of the raw events in text mode, not screenshot.

Anyway, viewing your message, I suppose that you have data in a csv, did you already indexed in Splunk?

All the information seems to be in the same event, in this kind, you have only to use eval to calculate the date difference.

<your_search>
| eval Total_Days =round(strptime(timestamp,"%m/%d/%Y %H:%M")-strptime(releasetime,"%m/%d/%Y %H:%M"))/86400,2)
| table Device_ID VersionIP releasetime timestamp Total_Days
| rename 
   Device_ID AS DeviceID
   VersionIP  AS "Software Version"
   releasetime AS "Software Version Release Date"
   timestamp AS "Software Version last timestamp"
   Total_Days

remember that to compare different dates and times, you have to convert them in epochtime.

Ciao.

Giuseppe

kirthika26 · ‎04-03-2023

Hi Giuseppe ,

Thanks for your reply. But need help in final visualization part after table command

gcusello · ‎04-03-2023

Hi @kirthika26,

I renamed the columns and I rounded the Total_Days field

what else you would add in final visualization?

Ciao.

Giuseppe

kirthika26 · ‎04-03-2023

Thanks Giuseppe

gcusello · ‎04-03-2023

Hi @kirthika26,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

diogofgm · ‎04-03-2023

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz.

Sankey

https://splunkbase.splunk.com/app/3112

Parallel Coordinates

https://splunkbase.splunk.com/app/3137

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to represent good visualization with the following fields?

chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How to represent good visualization with the following fields?

chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability