- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I group Kepware Torque tool data by VIN...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure how to accomplish this and need some advice from the experts here.
I am working with data from a torque tool being fed into a kepware system and then into Splunk.
What happens first is I receive an event like below:
2016-06-13 21:02:36.579 +0000 Tag="Torque.Device1.VEHICLE IDENTIFICATION NUMBER.VIN1" Value="wiokdsk43" Quality="good"
This represents the ‘job’ that someone is working on. After this I receive a bunch of events like this:
2016-06-13 21:02:43.164 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_ANGLE_VALUE" Value="24" Quality="good"
2016-06-13 21:02:43.165 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_TORQUE_VALUE" Value="3.52999997" Quality="good"
2016-06-13 21:02:46.240 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_TORQUE_VALUE" Value="2.72000003" Quality="good"
It can be usually 5-10 more events before receiving another event identifying the next Vehicle Identification Number.
I need to be able to group together all events between Vehicle identification numbers as a single group/transaction so I can gather statistics and build visualizations for the specific ‘job’
Ideally I would like to be able to create a table of all last tightening results associated with a specific ‘job’
How do I accomplish this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you
sourcetype=Kepware index=kepware Quality="good" | rex "\.VIN1"\sValue="(?<VIN>[^"]+)" | eval group=VIN | reverse | filldown group | stats last(Value) as LastValue by group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you
sourcetype=Kepware index=kepware Quality="good" | rex "\.VIN1"\sValue="(?<VIN>[^"]+)" | eval group=VIN | reverse | filldown group | stats last(Value) as LastValue by group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This should work fine for my purpose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've actually been able o crunch the data with the transaction command and now have another question still around how to build a group of the associated uses of the torque tool per VIN job.
sourcetype=Kepware index=kepware Quality="good"| transaction startswith="VEHICLE IDENTIFICATION NUMBER"
Im still though having problems building a table of the torque values per vin job.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Voinski,
Ever considered using the metadata field in Kepware? You could give each Tag an ID, so it appears as:
2016-06-13 21:02:43.164 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_ANGLE_VALUE" Value="24" Quality="good" VINID = A
2016-06-13 21:02:43.165 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_TORQUE_VALUE" Value="3.52999997" Quality="good" VINID = A
2016-06-13 21:02:46.240 +0000 Tag="Torque.Device1.LAST TIGHTENING RESULTS.LTR_TORQUE_VALUE" Value="2.72000003" Quality="good" VINID = A
Afterwhich, you can just search for VINID = A. Can you sketch up an endstate mock up of the visualization?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
