Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to represent good visualization with the following fields?

kirthika26
Explorer
‎04-03-2023 03:05 AM

How to represent good visualization with the following fields

DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( 2020-02-05 02:04:45) and Total_Days ( 2)

 

Total Days is the difference between Software Version Release Date and Software Version last timestamp.

 

Chart should cover all fields

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-03-2023 03:16 AM

Hi @kirthika26,

are all the information in one event or in different events from different data sources?

could you share a sample of these events, eventually one or two from each data source?

because if they are in one event, you have only to display them using table and calculating the Total Days using eval.

If instead (as I suppose) they are in different data sources I have to correlate them.

Ciao.

Giuseppe

0 Karma
Reply

kirthika26
Explorer
‎04-03-2023 03:21 AM

 

 

Attached sample gcusello.

 

all from same sources

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-03-2023 03:34 AM

Hi @kirthika26,

sorry, I wasn't clear: I need some sample of the raw events in text mode, not screenshot.

Anyway, viewing your message, I suppose that you have data in a csv, did you already indexed in Splunk?

All the information seems to be in the same event, in this kind, you have only to use eval to calculate the date difference.

<your_search>
| eval Total_Days =round(strptime(timestamp,"%m/%d/%Y %H:%M")-strptime(releasetime,"%m/%d/%Y %H:%M"))/86400,2)
| table Device_ID VersionIP releasetime timestamp Total_Days
| rename 
   Device_ID AS DeviceID
   VersionIP  AS "Software Version"
   releasetime AS "Software Version Release Date"
   timestamp AS "Software Version last timestamp"
   Total_Days

remember that to compare different dates and times, you have to convert them in epochtime.

Ciao.

Giuseppe

0 Karma
Reply

kirthika26
Explorer
‎04-03-2023 03:37 AM

Hi Giuseppe ,

 

Thanks for your reply. But need help in final visualization part after table command

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-03-2023 03:39 AM

Hi @kirthika26,

I renamed the columns and I rounded the Total_Days field

what else you would add in final visualization?

Ciao.

Giuseppe

0 Karma
Reply

kirthika26
Explorer
‎04-03-2023 03:52 AM

Thanks Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-03-2023 03:55 AM

Hi @kirthika26,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎04-03-2023 03:15 AM

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz.

Sankey

https://splunkbase.splunk.com/app/3112

Parallel Coordinates

https://splunkbase.splunk.com/app/3137

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...