How Can I Generate A Visualisation with Multiple Data Series In Splunk

Question

I have been experimenting with Splunk, trying to emulate some basic functionality from the OSISoft PI Time Series database.

I have two data points that I wish to display trends for over time in order to compare fluctuations between them, specifically power network MW analogue tags.

In PI this is very easy to do, however I am having difficulty figuring out how to do it in Splunk.

How do I achieve this given the field values "SubstationA_T1_MW", & "SubstationA_T2_MW" in the field Tag?

The fields involved are TimeStamp, Tag, Value, and Status

Edit:

Sample Input and Output listed below:

Answer 1

I suspect you're going to be most interested in timechart for this

Something along the following lines may get you towards what you're looking for:

index=ndx sourcetype=srctp Value=* TimeStamp=* %NStatus=* (Tag=SubstationA_T1_MW OR Tag=SubstationA_T2_MW) earliest=-2h
| eval _time=strptime(TimeStamp,"%m/%d/%Y %H:%M:%S.%N")
| timechart span=15m max(Value) as Value by Tag

timechart relies on the internal, hidden _time field (which is in Unix epoch time) - so if _time doesn't match TimeStamp, you need the eval statement I added to convert from your TimeStamp to Unix epoch time in _time (which I've assumed is in mm/dd/yyyy format).

Also, go take the free, self-paced Splunk Fundamentals 1 class

Answer 2

Showing trends over time is done by the timechart command. The command requires times be expressed in epoch form in the _time field. Do that using the strptime function.

Of course, this presumes the data is indexed and fields extracted already.

index=foo
| eval _time = strptime(TimeStamp, "%m/%d/%Y %H:%M:%S.%3N")
| timechart max(Value) by Tag