Splunk Search

how to create line chart with multiple fields like timeline?

avivn
Explorer

hello,

i have this raw table:

1     2   3   4   5   6   7   8     9   10
0     0   0     0   0     0   0   0   0   0
502 497 496 496 497 500 499 499 498 497
0     0   0   0   0   0   0   0   0   0
496 491 493 492 493 497 496 497 497 492
496 488 492 491 490 496 495 497 496 491
506 502 502 501 504 506 504 504 503 501
496 490 490 490 491 495 493 494 494 491
549 541 542 541 542 547 547 548 547 542

the first line indicates second, the other lines indicate unique tester with his result for each second.
how can i create a chart that contains for the 8 testers the timeline with the value of each second?

thank you

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This puts your data in, as you have presented it...

| makeresults 
| eval _raw=" 1      2      3      4      5      6      7      8      9      10
 0      0      0      0      0      0      0      0      0      0
 502    497    496    496    497    500    499    499    498    497
 0      0      0      0      0      0      0      0      0      0
 496    491    493    492    493    497    496    497    497    492
 496    488    492    491    490    496    495    497    496    491
 506    502    502    501    504    506    504    504    503    501
 496    490    490    490    491    495    493    494    494    491
 549    541    542    541    542    547    547    548    547    542"

This turns it into data fields called Tester_01 thru Tester_10, then assigns one-second increments to the different readings. The actual _time used is completely arbitrary in this version.

| multikv noheader=true
| rename Column_*  as Tester_0* | rename Tester_010  as Tester_10
| streamstats count  | eval _time = _time + count | table _time Tester*

Now we turn it into one result record per tester per _time unit, and then timechart the results...

| Untable _time tester result
| timechart span=1s sum(result) by tester

Your data basically all land on top of one another, so there's not a lot to see in the result graph, but it works.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Is that how the data is in Splunk? What are the events - do you have one event for the first line, another for the second and so on? Or is the output above from a lot of manual search work? Or is this in Excel?

Mainly I ask because you may find it a lot easier to revise the original data into a different structure.

0 Karma

avivn
Explorer

the data from excel, so Splunk took the first row (the seconds) as columns name.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...