Dashboards & Visualizations

Map events using lat long

ips_mandar
Builder

Below is my sample event-

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss  longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude
29-09-2019 9:02:10 loss longitude latitude
29-09-2019 9:02:55 restore longitude latitude
29-09-2019 9:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 9:00:00 Pullout longitude latitude
...

Here I want to group startswith="pullout" to endswith="pullIn" but only take loss events where loss and restoration time is more than 1 min and exclude less than 1 min and plot loss on map using latitude and longitude.
any help will be appreciated. I tried transaction command but unable to succeed
thanks.

0 Karma

vik_splunk
Communicator

Hi ips_mandar

Can you provide more inputs on this? The way I see it, it goes along the lines of

  1. Create a transaction starting with Pullout and ending with PullIn
  2. Within the events in the transaction, compute difference between loss and restore events and retain only those where there is a loss of > 1 minute. Is that to be accumulated within a transaction?

i.e in the sample data, Should (8:02:55 - 8:02:10) 45 seconds be a separate event or accumulate losses within a transaction?

29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude

Depending on the definition, the approach will change. It almost seems like a transaction within a transaction. Check out these links if that's what you are trying to achieve.

https://answers.splunk.com/answers/30980/nested-transactions.html
https://www.splunk.com/blog/2011/01/11/maintaining-state-of-the-union.html

0 Karma

ips_mandar
Builder

@vik_splunk you understand correctly I want transaction within transaction.
In above sample data I am more concern about (8:09:00 - 8:12:10) i.e. loss happening for more than 1 min. and I don't want 45 sec (8:02:55 - 8:02:10).
I wanted the loss happening for more than 1 min and neglect which are less than 1 min and then plot loss on map. How can I achieve this?
I did checked these link but unable to understand..can you please explain in my case how can I achieve it?
Thanks,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ips_mandar
try something like this:

| your_search
| transaction source startswith="loss" endswith="restore"
| where duration>60
| table duration latitude longitude

Bye.
Giuseppe

0 Karma

ips_mandar
Builder

Thanks but As I mentioned I want events falling between "PullOut" to "PullIn" only and I want to plot loss only on map.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please explain "loss and restoration time". Also, what SPL have you tried already?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ips_mandar
Builder

loss and restoration time defines GPS unit lost connection and restored connection.
I tried ...|transaction source startswith="Pullout" endswith="PullIn"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...