I am attempting to grab data from a set of Items that all have relatively similar names, i.e.:
ItemName = LocX_VarY.DataTypeZ
Where the individual words are descriptors of where the data point was taken from, such as:
Location0001_Windspeed.10M
Now, say that I want to create a timechart that plots multiple different items, like:
Location0001_Windspeed.Below10M
Location0001_Windspeed.10M
Location0001_Windspeed.100M
Location0038_Windspeed.Below10M
etc.
How can I structure my search function in such a way that I don't have to manually enter in all of the locations/datatypes to get all applicable ItemNames and the data that corresponds to them.
Note that the examples provided were just examples, not representative of what the data looks like.
This would break the individual parts of the ItemNames out:
| rex field=ItemName "(?<LocX>[^_]+)_(?<VarY>[^\.]+)\.(?<DataTypeZ>.+)$"
Then you could use post-processing such as | stats count by LocX | fields locX
to put them in individual multiselect dropdowns for your user to choose between.
However, when you put them into timechart
, you are probably going to want to merge the ItemName back together, and/or perhaps use trellis to spread the timecharts over multiple panels.
I can do
| timechart span=xxx values(value) by ItemName
But I'm looking for a more precise way to do it, especially when I want to condense the output downs into specific subsets of data.
Note that, in addition to a "Location 0001" and "Windspeed" variables, there would be dozens of others for each of those. Sorting by Locations and their Particular Variables or Particular Variable at a given Location is important.
Could you explain what type of filters you'd apply when you want to condense the output? If you're looking to plot timechart for specific type of ItemNames, you can add a search filter just before your time chart. E.g.
your base search
| where like(ItemName,"%YourFilter%")
| timechart span=xxx values(value) by ItemName
Sorry I never responded, I managed to find some data that was structured in a different way to help me accomplish this task. Thanks for the hint on the filter though, that will be extremely helpful in the future.
@splunk_questions could you please post the details of the approach you used to solve your issue and accept the same as answer to help others facing similar issue.