Splunk Search

How to use the value of one field to select/chart another field?

dbcase
Motivator

I have a json object (see below). I need to take the value of payload.chan (15 in this case) and using 15 select payload.eavgc15, payload.emax15, and payload.emin15 and chart the values. I can't quite figure out how to extract the value of payload.chan and then append that to payload.eavgc. I've tried eval testvariable=tostring(payload.chan) | eval testvariable1=payload.eavgc+testvariable but no luck.... Any thoughts?

cpeId:  9c97261be426 
    messageType:  zigBeeData 
    payload: { [-] 
      apsDecryptionFailures:  0 
      apsFrameCounterFailures:  0 
      apsRxBcast:  0 
      apsRxUcast:  355 
      apsTxBcast:  0 
      apsTxUcastFailures:  0 
      apsTxUcastRetries:  0 
      apsTxUcastSuccesses:  279 
      bufferAllocationFailures:  0 
      chan:  15 
      eavgc11:  -56 
      eavgc12:  -45 
      eavgc13:  -42 
      eavgc14:  -52 
      eavgc15:  -66 
      eavgc16:  -40 
      emaxc11:  -56 
      emaxc12:  -45 
      emaxc13:  -42 
      emaxc14:  -49 
      emaxc15:  -31 
      emaxc16:  -39 
      emaxc17:  -33 
      eminc11:  -56 
      eminc12:  -45 
      eminc13:  -42 
      eminc14:  -52 
      eminc15:  -72 
      eminc16:  -41 
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dbcase,

This is a tricky one, but I was able to get it working in a dashboard at least (Strange it's not working in Search though....)

Take a look at this dash board:

<form>
  <label>rex based on drop down</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="token">
      <label>Select chan:</label>
      <search>
        <query>index=* source="Untitled.txt" host="indexer" sourcetype="mytest" | dedup chan | table chan</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <fieldForLabel>chan</fieldForLabel>
      <fieldForValue>chan</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>source="Untitled.txt" host="indexer" sourcetype="mytest" | fields chan e* | table * | rex max_match=0 "(?&lt;myField&gt;\w+c"$token$"):\s+(?&lt;myValue&gt;[^\s]+)" | fields - _raw | where chan=$token$ | table chan my* | eval zipped = mvzip(myField, myValue, "###") | mvexpand zipped | eval mv1 = replace(zipped, "###.*$", "") | eval mv2 = replace(zipped, "^.*###", "" ) | fields - zipped | eval {mv1}=mv2 | fields chan e* | stats max(*) AS *</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

This will get all chan values into a drop down and gets back the evagc*, emaxc* and eminc* values based on the value of chan.

If you have more questions let me know and we can look at this offline 😉

Hope this helps ...

cheers, MuS

PS: here are my test events based on your provided examples:

cpeId:  9c97261be426 
     messageType:  zigBeeData 
     payload: { [-] 
       apsDecryptionFailures:  0 
       apsFrameCounterFailures:  0 
       apsRxBcast:  0 
       apsRxUcast:  355 
       apsTxBcast:  0 
       apsTxUcastFailures:  0 
       apsTxUcastRetries:  0 
       apsTxUcastSuccesses:  279 
       bufferAllocationFailures:  0 
       chan:  13 
       eavgc11:  -56 
       eavgc12:  -45 
       eavgc13:  -42 
       eavgc14:  -52 
       eavgc15:  -66 
       eavgc16:  -40 
       emaxc11:  -56 
       emaxc12:  -45 
       emaxc13:  -42 
       emaxc14:  -49 
       emaxc15:  -31 
       emaxc16:  -39 
       emaxc17:  -33 
       eminc11:  -56 
       eminc12:  -45 
       eminc13:  -42 
       eminc14:  -52 
       eminc15:  -72 
       eminc16:  -41 

cpeId:  9c97261be426 
     messageType:  zigBeeData 
     payload: { [-] 
       apsDecryptionFailures:  0 
       apsFrameCounterFailures:  0 
       apsRxBcast:  0 
       apsRxUcast:  355 
       apsTxBcast:  0 
       apsTxUcastFailures:  0 
       apsTxUcastRetries:  0 
       apsTxUcastSuccesses:  279 
       bufferAllocationFailures:  0 
       chan:  14 
       eavgc11:  -56 
       eavgc12:  -45 
       eavgc13:  -42 
       eavgc14:  -52 
       eavgc15:  -66 
       eavgc16:  -40 
       emaxc11:  -56 
       emaxc12:  -45 
       emaxc13:  -42 
       emaxc14:  -49 
       emaxc15:  -31 
       emaxc16:  -39 
       emaxc17:  -33 
       eminc11:  -56 
       eminc12:  -45 
       eminc13:  -42 
       eminc14:  -52 
       eminc15:  -72 
       eminc16:  -41 

cpeId:  9c97261be426 
     messageType:  zigBeeData 
     payload: { [-] 
       apsDecryptionFailures:  0 
       apsFrameCounterFailures:  0 
       apsRxBcast:  0 
       apsRxUcast:  355 
       apsTxBcast:  0 
       apsTxUcastFailures:  0 
       apsTxUcastRetries:  0 
       apsTxUcastSuccesses:  279 
       bufferAllocationFailures:  0 
       chan:  15 
       eavgc11:  -56 
       eavgc12:  -45 
       eavgc13:  -42 
       eavgc14:  -52 
       eavgc15:  -66 
       eavgc16:  -40 
       emaxc11:  -56 
       emaxc12:  -45 
       emaxc13:  -42 
       emaxc14:  -49 
       emaxc15:  -31 
       emaxc16:  -39 
       emaxc17:  -33 
       eminc11:  -56 
       eminc12:  -45 
       eminc13:  -42 
       eminc14:  -52 
       eminc15:  -72 
       eminc16:  -41 
0 Karma

dbcase
Motivator

Thanks MuS! Your solution prompted another way to do this. Our solution is kinda kludgy but it works in search.

index="cpe_index" messageType=zigBeeData | eval zigChanMinRssi=case('payload.chan'==15, 'payload.eminc15', 'payload.chan'==19, 'payload.eminc19', 'payload.chan'==20, 'payload.eminc20', 'payload.chan'==25, 'payload.eminc25') | chart values(zigChanMinRssi) AS "MIN" OVER time BY premiseId

We need to add the other fields but this seems to get us what we are looking for. Thank you!

0 Karma

MuS
SplunkTrust
SplunkTrust

Yeah, that's a lot of work and all hard coded - but well done 😉
I've updated my search in the dashboard a bit to return the field names as eavgc*, emaxc* or eminc* now.

cheers, MuS

0 Karma

dbcase
Motivator

Thanks ! I think you are on the right path but still unsure how to take the next step.

A bit more clarification on what I'm asking.....

In each json object there is the field payload.chan. This field will have one of 3 values currently. 11,15, 23. If the value is 15 we would like to graph the results of the payload.eavgc15, payload, payload.emaxc15 and payload.eminc15.

If the payload.chan value is 23 we would like to graph the results of the payload.eavgc23, payload, payload.emaxc23 and payload.eminc23.

and if the payload.chan value is 11 we would like to graph the results of the payload.eavgc11, payload, payload.emaxc11 and payload.eminc11.

Does that help?

0 Karma

gfreitas
Builder

Hi dbcase,

I'm not sure if I understood your question but you can use the map command to submit a result of a field to another search. You can find the documentation here: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map. You do a search where you find a result like this: sourcetype=xyz field1=filter | table filter_to_subsearch | map search "search sourcetypeabc filter="$filter_to_subsearch$""

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...