Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Suggestions needed! How to combine data from different sensors

CBailey632
Engager
‎03-15-2023 07:22 AM

I'm new to Splunk so I apologize if this is very obvious, but I haven't seen anything that seems like it fits my needs exactly in the community. I'm trying to build a dashboard that will display temperature values from sensors based on messages received in a stream. 

The messages come in with a time, a sensor id/name, and a temperature. 

For any given period of time I wont know how many sensors I will receive temperatures from. 

Currently my query is based on a table that splits the sensors into columns and then adds the values based on time: 

CBailey632_0-1678889651371.png

 

This kind of works for me - except I need my dashboard to look like this: 

CBailey632_1-1678889705387.png

 

The line chart is probably good enough, because I can set the nullvaluemode to connect, which covers the gaps in data. But the Singles and Sparklines at the top are not very useful. Basically I'm looking for any suggestions on how I can improve the query to make that top section work better.

I've tried to keep track of a "lastKnownTemp" using last() to use to fill in the null values, but I don't know how to do it for an unknown number of sensors. Ideally I think this would be the way I would want to go if someone knew of a way to accomplish this?

I've considered using transactions to split the messages by sensor id, but then when I get a single event that has a bunch of events inside, I don't really know what to do with them. 

Any suggestions or information would be greatly appreciated. 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2023 07:32 AM

Try using filldown

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2023 07:32 AM

Try using filldown

Reply
Solved! Jump to solution

CBailey632
Engager
‎03-15-2023 07:57 AM

Amazing! It worked perfectly. Thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...