Splunk Search

Timechart how to keep latest value

d_rech67
New Member

I'm getting in my splunk database a set of data coming from 8 sensors
Those 8 sensor work in a consecutive sequence
That means that when I get the info only 1 of the 8 set of data is updated

Currently my timechart shows only the last set of data all the others are 0 (zero)

index="morfi" | timechart bins=100 cont=false last(S3_F_Lp)

In the bellow image each column represent one sensor set of data

Thanks for your help

d_rech67_0-1613048534627.png

 

Labels (1)
Tags (1)
0 Karma

d_rech67
New Member

Thnks for coming back to me.

Average:
No in fact we want to have each column showing one sensor, what we already have.

what we don't have and would like to have is to see the latest result (<> 0) of each sensor and not only the one of the last sensor that has sent data.

What is happening currently is that the value of sensor S(i)  value drop to zero as soon as the data S(i+1)  is loaded.
We would like to keep the last value of each sensor.

index="morfi" | timechart bins=100 cont=false last(S1_F_Lp)


On an other dashboards we are getting this OK with a different display type
| stats latest(S1_F_Lp) as " S1_F_Lpmm", latest(S2_F_Lp) as "S2_F_Lpmm", latest(S3_F_Lp) as "S3_F_Lpmm", latest(S4_F_Lp) as "S4_F_Lpmm", latest(S5_F_Lp) as "S5_F_Lpmm", latest(S6_F_Lp) as "S6_F_Lpmm", latest(S7_F_Lp) as "S7_F_Lpmm", latest(S8_F_Lp) as "S8_F_Lpmm"

 

0 Karma

lydiapal_splunk
Splunk Employee
Splunk Employee

Could you send a sample of your data to understand your question better? And what are you looking to show - average across the 8 sensors or?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.