Splunk Search

how do I change label name on legend for a graph?

matoulas
Path Finder

Hi,

We've our JSON code that send to Splunk. Everything is working great as expected, but I would like to know how do I change label name on legend for a graph and would like to keep a lookup name as plug1, plug2, plug3 and so on when user click on each legend for drill down detail for each plug? see image chart below. What I would like to do I want to rename label from plug1, plug2, plug3... to plugname of each plugs. For Example plug1 has a plugname value of Outlet_A1,plug2 has a plugname value of Outlet_A2, and plug3 has a plugname value of Outlet_A3 and so on.

my search string for the graph:

| search sourcetype=powerdata siteid=$siteid$ assettag=$assettag$ 
| timechart avg("powerdata{}.plug1{}.current") as plug1, avg("powerdata{}.plug2{}.current") as plug2, avg("powerdata{}.plug3{}.current") as plug3, avg("powerdata{}.plug4{}.current") as plug4, avg("powerdata{}.plug5{}.current") as plug5, avg("powerdata{}.plug6{}.current") as plug6, avg("powerdata{}.plug7{}.current") as plug7, avg("powerdata{}.plug8{}.current") as plug8, avg("powerdata{}.plug9{}.current") as plug9, avg("powerdata{}.plug10{}.current") as plug10, avg("powerdata{}.plug11{}.current") as plug11, avg("powerdata{}.plug12{}.current") as plug12, avg("powerdata{}.plug13{}.current") as plug13, avg("powerdata{}.plug14{}.current") as plug14, avg("powerdata{}.plug15{}.current") as plug15, avg("powerdata{}.plug16{}.current") as plug16 
| eval plug1=round(plug1,2) 
| eval plug2=round(plug2,2) 
| eval plug3=round(plug3,2) 
| eval plug4=round(plug4,2) 
| eval plug5=round(plug5,2) 
| eval plug6=round(plug6,2) 
| eval plug7=round(plug7,2) 
| eval plug9=round(plug9,2) 
| eval plug10=round(plug10,2) 
| eval plug11=round(plug11,2) 
| eval plug12=round(plug12,2) 
| eval plug13=round(plug13,2) 
| eval plug14=round(plug14,2) 
| eval plug15=round(plug15,2) 
| eval plug16=round(plug16,2)

Can you please point me to the right direction? Looking forward to your help.
Below is our custom JSON code that send to Splunk.

{
    "timestamp": "2019-06-21T21:50:13+00:00",
    "siteid": "LABRACK1",
    "assettag": "CPM-1600-1-ECAM-LAB",
    "powerunit": "1",
    "outletmetering": "1",
    "ats": "1",
    "branchcount": "2",
    "plugcount": "16",
    "powerfactor": "100",
    "powereff": "100",
    "powerdatacount": "1",
    "powerdata": [{
        "timestamp": "2019-06-21T21:50:13+00:00",
        "plug1": [{
            "voltage": "114.00",
            "current": "2.00",
            "branch": "1",
                        "plugname": "Outlet_A1"
        }],
        "plug2": [{
            "voltage": "114.00",
            "current": "5.00",
            "branch": "1",
                        "plugname": "Outlet_A2"
        }],
        "plug3": [{
            "voltage": "114.00",
            "current": "3.00",
            "branch": "1",
                        "plugname": "Outlet_A3"
        }],
        "plug4": [{
            "voltage": "114.00",
            "current": "1.00",
            "branch": "1",
                        "plugname": "Cisco-SW3560"
        }],
        "plug5": [{
            "voltage": "114.00",
            "current": "2.00",
            "branch": "1",
                        "plugname": "Cisco-SW3760"
        }],
        "plug6": [{
            "voltage": "114.00",
            "current": "5.00",
            "branch": "1",
                        "plugname": "UPS"
        }],
        "plug7": [{
            "voltage": "114.00",
            "current": "3.00",
            "branch": "1",
                        "plugname": "Outlet_A7"
        }],
        "plug8": [{
            "voltage": "114.00",
            "current": "1.00",
            "branch": "1",
                        "plugname": "Outlet_A8"
        }],
        "plug9": [{
            "voltage": "119.00",
            "current": "2.00",
            "branch": "2",
                        "plugname": "F5"
        }],
        "plug10": [{
            "voltage": "119.00",
            "current": "7.00",
            "branch": "2",
                        "plugname": "Camera"
        }],
        "plug11": [{
            "voltage": "119.00",
            "current": "5.00",
            "branch": "2",
                        "plugname": "TV"
        }],
        "plug12": [{
            "voltage": "119.00",
            "current": "1.00",
            "branch": "2",
                        "plugname": "Meraki"
        }],
        "plug13": [{
            "voltage": "119.00",
            "current": "4.00",
            "branch": "2",
                        "plugname": "Outlet_13"
        }],
        "plug14": [{
            "voltage": "119.00",
            "current": "5.00",
            "branch": "2",
                        "plugname": "Outlet_A14"
        }],
        "plug15": [{
            "voltage": "119.00",
            "current": "3.00",
            "branch": "2",
                        "plugname": "PC"
        }],
        "plug16": [{
            "voltage": "119.00",
            "current": "1.00",
            "branch": "2",
                        "plugname": "Outlet_A16"
        }]
    }]
}

alt text
alt text

Tags (2)
0 Karma

woodcock
Esteemed Legend

Why don't you just change your AS plug# stuff to AS Outlet_A# in your SPL?

0 Karma

woodcock
Esteemed Legend

You can add this to the end of your existing search:

... | rename plug* AS Outlet_A*
0 Karma

matoulas
Path Finder

Hi Woodcock,

Thank you for your help!

As the above code, It's working but sorry for the confusing of the plugname in legend. I would like to display dynamic plugname according to plug#... base on JSON code. For example plug1 has plugname of "Outlet_A1", plug12 has plugname of "Meraki", plug10 has a plugname of "Camera" because each plug# has it own plugname base on user assignd. Also when click on individual plugname on the chart for the drill down on the legend I would like to keep the $click.name2$ as plug#...base on the user click for detail instead of plugname.

I'm not sure if it's possible, looking forward to your help again!

0 Karma

woodcock
Esteemed Legend

You can add this to the end of your existing search:

... 
| untable _time yaxis count 
| rex field=yaxis mode=sed "s/plug/Outlet_A/"
| xyseries _time yaxis count
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...