Splunk Search

Can you help me visualize my input lookup file?

dinaabdelhakam
Path Finder

Hello There,

I have a file CSV as shown in the attached screenshot. I want someone to help me to draw these dates on the xaxis and the streams on yaxis and the values are shown on a secondary Y -axis alt text

0 Karma
1 Solution

whrg
Motivator

The transpose command is your friend here: It converts rows to columns.

The real difficulty lies in your date format. They are sorted lexicographically: Apr < Aug < Dec < Feb < ...

Try this out:

your base search
| transpose header_field=Streams column_name=Date
| eval Date=Date+"-01" | eval Date=strptime(Date,"%b-%y-%d") | sort Date | eval Date=strftime(Date,"%Y-%m")

This should get you something like this which can be graphed with a line chart:

Date       StreamA    StreamB    ...
2018-01    788        571        ...
2018-02    780        538        ...
...        ...        ...        ...

Apparently, using strptime() without the day does not work. So I added "-01" to the date.

View solution in original post

0 Karma

whrg
Motivator

The transpose command is your friend here: It converts rows to columns.

The real difficulty lies in your date format. They are sorted lexicographically: Apr < Aug < Dec < Feb < ...

Try this out:

your base search
| transpose header_field=Streams column_name=Date
| eval Date=Date+"-01" | eval Date=strptime(Date,"%b-%y-%d") | sort Date | eval Date=strftime(Date,"%Y-%m")

This should get you something like this which can be graphed with a line chart:

Date       StreamA    StreamB    ...
2018-01    788        571        ...
2018-02    780        538        ...
...        ...        ...        ...

Apparently, using strptime() without the day does not work. So I added "-01" to the date.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...