- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Create an dashboard & alert depending on the busin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would one solve this problem:
We have a system that involves with bunch of wireless sensors. Each node report 3 sensor data (temp, humidity, battery) every 5 min. I was thinking to create a count on each node plus if one of the nodes doesn’t report within 5 min time interval I would get an alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start with a search that extracts the fields from the data message :
(replace index and sourcetype with your actual values)
index=yourindex sourcetype=yoursourcetypy Got data message | rex field=_raw "NODE_ID=(?<node>\d+), SENSOR_ID=(?<sensor>\d+), NETWORK_ID=(?<network>\d+), TIMESTAMP=(?<timestamp>\d+), DATA=(?<data>\d+\.\d+)}]"
Then you can use the stats/chart/timechart/table etc... search commands to display and analyse the extracted fields (node, sensor, network, timestamp, data)
... | stats count by node sensor
Futhermore, you may wish to consider using a "lookup" for the sensor field to map the code(0,1,2...) to a meaningful description(temp, humidity, battery ...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start with a search that extracts the fields from the data message :
(replace index and sourcetype with your actual values)
index=yourindex sourcetype=yoursourcetypy Got data message | rex field=_raw "NODE_ID=(?<node>\d+), SENSOR_ID=(?<sensor>\d+), NETWORK_ID=(?<network>\d+), TIMESTAMP=(?<timestamp>\d+), DATA=(?<data>\d+\.\d+)}]"
Then you can use the stats/chart/timechart/table etc... search commands to display and analyse the extracted fields (node, sensor, network, timestamp, data)
... | stats count by node sensor
Futhermore, you may wish to consider using a "lookup" for the sensor field to map the code(0,1,2...) to a meaningful description(temp, humidity, battery ...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice > vote it up !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you a lot Damien. That helped me a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample log:
25 Jan 2012 11:02:56,231 DEBUG (NetworkWorker-27 LoggingTransport.logMessage ) :: Got data message: [WSNGATEWAY:29, route, {NETWORK_ID=27, CHILD_ID=110457432248942813, PARENT_ID=801}]
25 Jan 2012 11:02:56,231 TRACE (NetworkWorker-27 NetworkWorker .run ) :: Sensor Type DATA received
25 Jan 2012 11:02:56,232 INFO (NetworkWorker-27 StoreSensor .StoreSensorData) :: Sensor 1 (node physID:1886c730c0000dd) : ch 0 : raw 6349 : conv 74.28200000000001
25 Jan 2012 11:02:56,232 DEBUG (NetworkWorker-27 BatchPublisher .sendMessage ) :: Message added, queue size: 1
25 Jan 2012 11:02:56,233 DEBUG (NetworkWorker-27 LoggingTransport.logMessage ) :: Got data message: [WSNSENSOR:30, lastValue, {NODE_PLATFORM=11, TYPE_ID=1, NODE_ID=110457432248942813, SENSOR_ID=0, NETWORK_ID=27, TIMESTAMP=1327518160913, DATA=74.28200000000001}]
25 Jan 2012 11:02:56,233 TRACE (NetworkWorker-27 NetworkWorker .run ) :: Sensor Type DATA received
25 Jan 2012 11:02:56,233 TRACE (NetworkWorker-27 StoreSensor .StoreSensorData) :: HUMIDITY_CONVERSION: Trying to do a compensated conversion using last temperature of 74.28200000000001 and sensor reading 1160
25 Jan 2012 11:02:56,234 INFO (NetworkWorker-27 StoreSensor .StoreSensorData) :: Sensor 2 (node physID:1886c730c0000dd) : ch 1 : raw 1160 : conv 39.057092000000004
25 Jan 2012 11:02:56,234 DEBUG (NetworkWorker-27 BatchPublisher .sendMessage ) :: Message added, queue size: 2
25 Jan 2012 11:02:56,234 DEBUG (NetworkWorker-27 LoggingTransport.logMessage ) :: Got data message: [WSNSENSOR:31, lastValue, {NODE_PLATFORM=11, TYPE_ID=2, NODE_ID=110457432248942813, SENSOR_ID=1, NETWORK_ID=27, TIMESTAMP=1327518160913, DATA=39.057092000000004}]
25 Jan 2012 11:02:56,234 TRACE (NetworkWorker-27 NetworkWorker .run ) :: Sensor Type DATA received
25 Jan 2012 11:02:56,235 INFO (NetworkWorker-27 StoreSensor .StoreSensorData) :: Sensor 5 (node physID:1886c730c0000dd) : ch 2 : raw 35249 : conv 3.029304029304029
25 Jan 2012 11:02:56,235 DEBUG (NetworkWorker-27 BatchPublisher .sendMessage ) :: Message added, queue size: 3
25 Jan 2012 11:02:56,235 DEBUG (NetworkWorker-27 LoggingTransport.logMessage ) :: Got data message: [WSNSENSOR:32, lastValue, {NODE_PLATFORM=11, TYPE_ID=5, NODE_ID=110457432248942813, SENSOR_ID=2, NETWORK_ID=27, TIMESTAMP=1327518160913, DATA=3.029304029304029}]
25 Jan 2012 11:02:56,236 DEBUG (JMS transport batch thread BatchPublisher .run ) :: Have sent 1 message(s) to AppServer
25 Jan 2012 11:02:56,256 DEBUG (JMS transport batch thread BatchPublisher .run ) :: Have sent 3 message(s) to AppServer
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
