I'm new to Splunk so I apologize if this is very obvious, but I haven't seen anything that seems like it fits my needs exactly in the community. I'm trying to build a dashboard that will display temperature values from sensors based on messages received in a stream. The messages come in with a time, a sensor id/name, and a temperature. For any given period of time I wont know how many sensors I will receive temperatures from. Currently my query is based on a table that splits the sensors into columns and then adds the values based on time: This kind of works for me - except I need my dashboard to look like this: The line chart is probably good enough, because I can set the nullvaluemode to connect, which covers the gaps in data. But the Singles and Sparklines at the top are not very useful. Basically I'm looking for any suggestions on how I can improve the query to make that top section work better. I've tried to keep track of a "lastKnownTemp" using last() to use to fill in the null values, but I don't know how to do it for an unknown number of sensors. Ideally I think this would be the way I would want to go if someone knew of a way to accomplish this? I've considered using transactions to split the messages by sensor id, but then when I get a single event that has a bunch of events inside, I don't really know what to do with them. Any suggestions or information would be greatly appreciated.
... View more