Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Automate splunk to reproduce data set from multiple indices and create their patterns?

paritoshs24
Path Finder
‎10-14-2022 10:09 PM

Hi Team my data across multiple  indices looks  like this from  latest index to oldest

oldest                   latest      
Index
1		         index 2          index 
3		      
par  lkg target workweek   par  lkg target workweek   par  lkg target workweek
a 1 8 ww1   a 5 8 ww2   a 4 8 ww3
b 2 9 ww1   b 6 9 ww2   b 5 9 ww3
c 3 7 ww1   c 7 7 ww2   c 8 7 ww3
d 4 6 ww1   d 8 6 ww2   d 2 6 ww3

 

I want to recreate data like this

par Target ww1 ww2 ww3 line chart
a 8 1 5 4  
b 9 2 6 5  
c 7 3 7 8  
d 6 4 8 2  

 

The major catch  is  .... we do not know  how  many indices are there .....we do no know how many par are there in any index and how to automate splunk to create  line chart for each of these par showing  lkg trend across the workweeks.

@Richfez  @richgalloway  @ITWhisperer  @aljohnson_splun @PickleRick autom

Labels (2)
Labels
0 Karma
Reply

paritoshs24
Path Finder
‎10-15-2022 02:31 AM

Some Answers to the above queries .
@PickleRick 
My events may look like..the following
This is from  index 1

14/10/2022
00:59:30.000
{ [-]
 
 
 par a
 lkg 1
 target 8
 workweek ww_41_2022
  

  We have similar events for different par's  having different lkg and different targets.
Also we have multiple  such index/sources which again  contain  multiple events  like above.

@gcusello 

  • workweek is a number or a date?
    its shown  above...its a string -----a mix of numerals and alphabets

  • the cross between workweek and par is a count or the value of lkg?
    its the value of lkg.....i cant specify numbers due to data copyrights 🙂
  • the relation par-target is always 1:1?
    yes its a 1:1......... for every par we have  a lkg we have a target and a corresponding workweek.

  • par, lkg, target and workweek are all in the same event (record) in all the three indexes?
    yes  all the  multiple indices have events which contain same info like par  its target its lkg and corresponding ww info...and many other info  but  they are irrelevant  as of now.
     
  • when you say line chart, are you meaning one line chart or one for each workweek?
    When i say line chart i mean to say  the  summary that  i need to create shud  have  par/targets/and  lkg from each ww and a line chart showing how lkg is changing for each par across all workweeks.......for  my line chart y axis wud contain lkg while x axis  wud contain the ww

    parTargetww1ww2ww3line chart
    a8154 
    b9265 
    c7378 
    d6482 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-17-2022 03:39 AM

It seems you have extra information (the par value which is repeated with every event). In a context of analyziing single event it's good because it lets you do a quick check without consulting any external sources (splunk is not an RDBMS so we won't teach you about database normalization here ;-)). But seriously - what if the par value changed over time?

Anyway, it seems that what you need is an xyseries command which takes such "indexed" events and puts them over a table.

The trick here is that xyseries normally works with three fields - X-index, Y-index and value whereas in your events you have par and target which should be the "Y-index". So you'd need to combine them into one value, then do xyseries and then split them again into separate values.

Anyway, just out of curiosity - why do you have multiple indexes with the same kind of data?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2022 02:34 AM

Hi @paritoshs24,

does my search work for you?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2022 11:25 PM

Hi @paritoshs24,

some questions:

  • workweek is a number or a date?
  • the cross between workweek and par is a count or the value of lkg?
  • the relation par-target is always 1:1?
  • par, lkg, target and workweek are all in the same event (record) in all the three indexes?
  • when you say line chart, are you meaning one line chart or one for each workweek?

So if:

  • workweek is a number
  • the cross between workweek and par is the value of lkg
  • the relation par-target is always 1:1
  • par, lkg, target and workweek are all in the same event

you could try something like this:

<your_search>
| eval column=par."|".target
| chart values(lkg) AS lkg OVER column BY workweek

that you can display in a table or in a chart.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2022 10:49 PM

These are not your single events, are they?

Show us what your events look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...