Splunk Search

timechart for multiple, but similar, itemnames

splunk_question
Explorer

I am attempting to grab data from a set of Items that all have relatively similar names, i.e.:

ItemName = LocX_VarY.DataTypeZ

Where the individual words are descriptors of where the data point was taken from, such as:

Location0001_Windspeed.10M

Now, say that I want to create a timechart that plots multiple different items, like:

Location0001_Windspeed.Below10M
Location0001_Windspeed.10M
Location0001_Windspeed.100M
Location0038_Windspeed.Below10M
etc.

How can I structure my search function in such a way that I don't have to manually enter in all of the locations/datatypes to get all applicable ItemNames and the data that corresponds to them.

Note that the examples provided were just examples, not representative of what the data looks like.

Tags (1)
0 Karma

DalJeanis
Legend

This would break the individual parts of the ItemNames out:

| rex field=ItemName "(?<LocX>[^_]+)_(?<VarY>[^\.]+)\.(?<DataTypeZ>.+)$"

Then you could use post-processing such as | stats count by LocX | fields locX to put them in individual multiselect dropdowns for your user to choose between.

However, when you put them into timechart, you are probably going to want to merge the ItemName back together, and/or perhaps use trellis to spread the timecharts over multiple panels.

0 Karma

splunk_question
Explorer

I can do

| timechart span=xxx values(value) by ItemName

But I'm looking for a more precise way to do it, especially when I want to condense the output downs into specific subsets of data.

Note that, in addition to a "Location 0001" and "Windspeed" variables, there would be dozens of others for each of those. Sorting by Locations and their Particular Variables or Particular Variable at a given Location is important.

0 Karma

somesoni2
Revered Legend

Could you explain what type of filters you'd apply when you want to condense the output? If you're looking to plot timechart for specific type of ItemNames, you can add a search filter just before your time chart. E.g.

your base search
| where like(ItemName,"%YourFilter%") 
| timechart span=xxx values(value) by ItemName

splunk_question
Explorer

Sorry I never responded, I managed to find some data that was structured in a different way to help me accomplish this task. Thanks for the hint on the filter though, that will be extremely helpful in the future.

0 Karma

niketn
Legend

@splunk_questions could you please post the details of the approach you used to solve your issue and accept the same as answer to help others facing similar issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...