Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart for multiple, but similar, itemnames

splunk_question
Explorer
‎05-15-2018 01:31 PM

I am attempting to grab data from a set of Items that all have relatively similar names, i.e.:

ItemName = LocX_VarY.DataTypeZ

Where the individual words are descriptors of where the data point was taken from, such as:

Location0001_Windspeed.10M

Now, say that I want to create a timechart that plots multiple different items, like:

Location0001_Windspeed.Below10M
Location0001_Windspeed.10M
Location0001_Windspeed.100M
Location0038_Windspeed.Below10M
etc.

How can I structure my search function in such a way that I don't have to manually enter in all of the locations/datatypes to get all applicable ItemNames and the data that corresponds to them.

Note that the examples provided were just examples, not representative of what the data looks like.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎05-23-2018 11:48 AM

This would break the individual parts of the ItemNames out:

| rex field=ItemName "(?<LocX>[^_]+)_(?<VarY>[^\.]+)\.(?<DataTypeZ>.+)$"

Then you could use post-processing such as | stats count by LocX | fields locX to put them in individual multiselect dropdowns for your user to choose between.

However, when you put them into timechart, you are probably going to want to merge the ItemName back together, and/or perhaps use trellis to spread the timecharts over multiple panels.

0 Karma
Reply

splunk_question
Explorer
‎05-15-2018 01:44 PM

I can do

| timechart span=xxx values(value) by ItemName

But I'm looking for a more precise way to do it, especially when I want to condense the output downs into specific subsets of data.

Note that, in addition to a "Location 0001" and "Windspeed" variables, there would be dozens of others for each of those. Sorting by Locations and their Particular Variables or Particular Variable at a given Location is important.

0 Karma
Reply

somesoni2
Revered Legend
‎05-15-2018 02:14 PM

Could you explain what type of filters you'd apply when you want to condense the output? If you're looking to plot timechart for specific type of ItemNames, you can add a search filter just before your time chart. E.g.

your base search
| where like(ItemName,"%YourFilter%") 
| timechart span=xxx values(value) by ItemName
Reply

splunk_question
Explorer
‎05-23-2018 06:09 AM

Sorry I never responded, I managed to find some data that was structured in a different way to help me accomplish this task. Thanks for the hint on the filter though, that will be extremely helpful in the future.

0 Karma
Reply

niketn
Legend
‎05-23-2018 06:30 AM

@splunk_questions could you please post the details of the approach you used to solve your issue and accept the same as answer to help others facing similar issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...