Splunk Search

Single Value Over Time Graph

tsukasa
Explorer

Hi All~

Have a question about charting. I have a simple XML message being sent in from my devices that I am having Splunk parse. One of the messages coming in indicates temperature that the device sensor read when the message was generated. The message looks like:

<Jetstream><Header EventId="f0189627-3d41-4d94-9338-20d8c3627d8e" EventTime="2011-05-09T17:05:54Z" LogicalDeviceId="10000452" ReceivedTime="2011-05-09T17:06:08Z" /><SensorReadingEvent><ReadingList><Reading Name="TemperatureA" Value="-21" ReadingTime="2011-05-09T17:05:54Z" /></ReadingList></SensorReadingEvent></Jetstream>

All I want to do is create a simple line graph for the last 24 hours for 'Temperature A' with time on X and temperature value on Y. I've tried timechart and chart with various options but haven't been able to figure out the correct syntax to get the graph I'm looking for.

Any suggestions? Thanks!

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

If you already have _time and TemperatureA, and don't want a bucketed timechart, you can use:

... | stats first(TemperatureA) as TemperatureA by _time

And chart that, or

... | stats list(TemperatureA) as TemperatureA by _time

But do be aware that there is a default limit (that can be increased in a custom dashboard) on the number of "slots" you can graph on the x-axis, and it's something like 250 or 400, so if you have more than that number of observations, you will have some truncation in the default charting view.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

If you already have _time and TemperatureA, and don't want a bucketed timechart, you can use:

... | stats first(TemperatureA) as TemperatureA by _time

And chart that, or

... | stats list(TemperatureA) as TemperatureA by _time

But do be aware that there is a default limit (that can be increased in a custom dashboard) on the number of "slots" you can graph on the x-axis, and it's something like 250 or 400, so if you have more than that number of observations, you will have some truncation in the default charting view.

tsukasa
Explorer

That did the trick.

However, there seems to be some strangeness when working with other panel types. For example, I have a table with <searchPostProcess>fields EventTime, sourcetype, LogEntryType, Message, TemperatureA, TemperatureB, EventId</searchPostProcess> and it pulls out some fields. That's what was confusing me.

Thanks again for the help!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

yes, it's because when you run a searchTemplate, fields that are not referenced in the original search are optimized away, so when you then try to postProcess them, there's nothing to process. You can work around this by simply including them in the original search, e.g., by adding a | fields sourcetype,EventTime,Temperature* to the end of the main search.

0 Karma

tsukasa
Explorer

Any idea why the chart is displayed when the full search is used in and does not when split up with and ? This is for a 'View' with a form submit.

Split it looks like:

<searchTemplate>host="Jetstream" AND LogicalDeviceId="$logicaldeviceid$" | dedup EventId</searchTemplate>

and

<searchPostProcess>search sourcetype="SensorReadingEvent" | fields EventTime, TemperatureA, TemperatureB | stats first(TemperatureA) as TemperatureA, first(TemperatureB) as TemperatureB by EventTime</searchPostProcess>

0 Karma

tsukasa
Explorer

You have the correct line of thinking. There is a custom field extraction, TemperatureA, that exists for when there are multiple <Reading> nodes.

If it helps, the search criteria I have created already is:

host="Jetstream" AND sourcetype="SensorReadingEvent" AND LogicalDeviceId="10000452" | dedup EventId | <rest of search>

When I add in your first suggestion, it gives me the results in a Results Table. However, instead of the _time factor just being say hourly, it is broken up into 30 minute intervals. This leaves gaps in the resulting max(temp) column.

For me the ideal would be a time column based on the ReadingTime key/value and a second column for TemperatureA. It would be a one for one listing and not a summary. However, I'm not sure the charting allows for direct input like that. Hopefully that makes sense.

As for the data source, its more for system monitoring of devices. I'm attempting to create a Device-centric view/dashboard for quick assimilation of data the device is reporting.

0 Karma

sideview
SplunkTrust
SplunkTrust

You can pipe the raw events to the xmlkv command and that should give you a field on the event rows called 'Value'. If you want to make it smarter and/or if it needs able to accomodate more than one <SensorReadingEvent> or more than one <Reading> node then you will probably want to define a custom field extraction to pick the right 'Value' out of the XML and turn it into a field called 'TemperatureA'.

But if you just have the one <Reading> node in each event xmlkv should work. Something like this:

<your search> | xmlkv | rename Value as temp | timechart max(temp) 

or this is similar but it will draw min, max and avg on the same graph:

<your search> | xmlkv | rename Value as temp | timechart min(temp) avg(temp) max(temp) 

Also, what kind of data is this? I ask because I am developing a general app for process manufacturing tag data. We have a windows service that pulls data into Splunk directly from OSISoft's PI System, so if this is some kind of process manufacturing or scada system, and you already have PI installed, my app may offer an easier way of getting things indexed. If that sounds interesting I can certainly arrange for you to try out a beta of the app. If not no worries.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...