Splunk Search

Help with search to use for dashboard - link key-value pairs

neilmac64
Explorer

Hi Folks - 

I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value changes over time. 

My data comes from a csv file and in the csv, is in this format:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:01counter_01246897
20220902-153931xx:yy:zz:aa:bb:01counter_021595

 

Further on in the same file we see the same keys for a different device by mac_address:

timestampmac_addresskeyvalue
20220902-153931xx:yy:zz:aa:bb:02counter_01600
20220902-153931xx:yy:zz:aa:bb:02counter_021350

 

This is how the data looks in search for a single device (identified by mac_address) and a single key (counter_01) with a value of 246897.

neilmac64_0-1662370147111.png

 

 

These values are pulled via a script which runs according to a schedule, so the index will contain updated data with a new timestamp. In all there are about 20 key/value matches per device per run of the script.

What I would like to achieve:

A simple line chart that shows the values for device 1, showing the counter_01 key and how the value changes over time.

The problem I am having is understanding how to get the chart to identify the device and then show the right stat.

Once I know how to do this I'm sure I can work out how to display the other values. 

As always, I'm very grateful for any help.

NM

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

I am slightly confused by your example data and requirement - you have timestamps all the same (yet you want to show changes over time) - you have 3 mac addresses ending in 02 and 1 ending in 01 - the values for counter_01 are different, but the values for counter_02 are the same.

Charts would usually have 3 dimensions, _time / timestamp, value, series. Which of your fields represent these dimensions?

(You can use overlays to split some of the series into different scales, but the series are still the third dimension.)

0 Karma

neilmac64
Explorer

Thanks for the reply.

I have made some corrections to the original post - thanks for bearing with me.

To keep it simple, if we look for now at just mac address 1, so for a single device (ie define the mac address to display for), I would like to track the time as the x-axis. The y-axis would be the value. The dataset would be counter_01.

I hope this clears things up - thanks again for the help.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key
0 Karma

neilmac64
Explorer

OK, I have this:, but no results found:

| where index=index AND key=counter_01 AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

(I added the index name)

Did I miss something?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What you have there is looking for a match between the value in field 'key' and the value in field 'counter_01' - to compare the value in field 'key' with the string value "counter_01", you need to have the string value in double quotes (as I showed).

Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...