Splunk Search

How do I find the latest value of multiple parameters in an event and display Zero if there is no data?

hwakonwalk
Path Finder

The data from multiple sensors comes into SPlunk though a single DB connection as:
SensorId ParamA ParamB ParamC
1 33 92 79
2 39 87 91
3 42 84 99
Each row indexes as a different event in Splunk with same timestamp and different SensorId

I want to display the latest values of each parameter against each sensor Id and my search query is as follows:
sourcetype=aaa source=bbb | head 3|SensorId table ParamA ParamB ParamC | sort SensorId

It seems to work fine but I am not sure if it will work fine if one of the sensors stops to send data, please suggest a possible workaround to display Zero in such case

0 Karma
1 Solution

niketn
Legend

You can try running stats for a specific period. Whichever Sensor is not listed you will not get in result.

sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| stats count last(ParamA) as LastParamA last(ParamB) as LastParamB last(ParamC) as LastParamC by SensorId

You can also run a timechart (only count will be meaningful). However, you will come to know if any sensor stops sending data and how ling have they not been sending.

sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| timechart count by SensorId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

You can try running stats for a specific period. Whichever Sensor is not listed you will not get in result.

sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| stats count last(ParamA) as LastParamA last(ParamB) as LastParamB last(ParamC) as LastParamC by SensorId

You can also run a timechart (only count will be meaningful). However, you will come to know if any sensor stops sending data and how ling have they not been sending.

sourcetype=aaa source=bbb
| table _time SensorId ParamA ParamB ParamC
| timechart count by SensorId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

hwakonwalk
Path Finder

Thank you niketnilay!

The time chart option is indeed helpful, but I have more than 20 sensors and it shows me the individual data for only 10 and rest as others. Is there any way to find the data for all 15 to 20 sensors or more if any?

Also, is there a way to identify the parameter for which the data is not being sent and display it in the same time chart?

0 Karma

niketn
Legend

Convert to the following. Timechart limits series to be plotted to 10 so that visualization is not too messy. However, if you know that you have just 20 sensors following should work

| timechart count by SensorId useother=f limit=20

Alternatively, you can also set limit=0 to show n number of series.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...