Associate alarm data to your asset structure in Splunk IAI
If you have alarm data from industrial systems and software, you can associate those alarms to the assets in your asset hierarchy. This lets you view alarm data along with metrics data in the Analyze view.
This procedure is optional.
- You must have alarm data ingested into an event index. See Get your metrics and alarm data in to Splunk IAI.
- Your alarm data must match the IoT common information model for alarm data. See Requirements for alarm data from your industrial assets.
- You must have uploaded at least one asset hierarchy. See Model your asset hierarchy in Splunk IAI.
Search to identify the data to associate
Run a search for the data that you want to associate to this asset hierarchy. Splunk IAI generates a table from your indexed data that you can use to identify your assets, alarms, and alarm messages.
- Click the Configure gear icon.
- Click the Asset Hierarchies tab.
- In the row of the asset hierarchy to which you want to associate data, click Associate Data in the Actions column.
- Enter this search query in the Search field, replacing <your index name> with the name of the event index that contains the alarm data that you want to associate with this asset hierarchy:
You can replace
index=<your index name> | fields asset alarm_name message _time index sourcetype
assetwith other field names if your raw data is not normalized to the IoT common information model for alarm data, but these fields must exist in your data. The
sourcetypefields are required.
- Click the magnifying glass icon to the right of the search field to search your data.
Up to 50 results appear in a table, presenting a sample of the index, assets, alarm names, and alarm messages from your indexed data.
Label your data
Label the columns to align your data to the required schema.
- Find the column that represents the names of assets in your environment.
- Click a row of the column that contains asset name data.
- In the drop-down menu that appears, select Assets.
- Find the column that represents the names of alarms in your environment.
- Click a row inside that column.
- In the drop-down menu that appears, select Alarm > Name.
- Find the column that represents the messages from the alarms in your environment. Not all alarms produce messages, so blank values are allowed.
- Click a row inside that column.
- In the drop-down menu that appears, select Alarm > Message.
- Confirm that the index field is visible.
- Click Next.
Splunk IAI uses the labels you applied to automatically map the data in your index to your asset hierarchy, matching up the assets in your data that are an exact match to the names of the assets you defined in your hierarchy.
Match unmatched assets
In the Match Unmatched Assets screen, Splunk IAI displays a list of assets from your hierarchy in the left column and a list of unmatched assets in your data in the right column. The assets for which Splunk IAI was able to find an exact match are labeled with a green checkmark icon. The remaining assets are labeled with a yellow triangle to indicate they are unmatched.
Match any unmatched assets by creating and uploading a mapping file. A mapping file correlates asset names from your data with asset names in your hierarchy so that Splunk IAI can map the data in your index correctly to your hierarchy.
- Create a two-column CSV file with this header row:
- In the Match Unmatched Assets screen, use the filters to navigate through the unmapped assets in your hierarchy and sample data to find the ones you want to match.
- Populate rows in your CSV file with asset names from your hierarchy and the asset names in your indexed data to which they correlate.
In the hierarchy column of your CSV file, you must use the full path to the asset exactly as it appears in the column of assets from your hierarchy.
- Save the CSV file.
- Drag and drop the file you want to upload to the Drop your file here area on the page, or click Browse to navigate to the file. When you upload a valid mapping file, the summary of matched and unmatched assets changes to reflect the new mappings you provided in the file.
- Repeat as needed, using additional mapping files to match any remaining unmatched assets until you have matched all relevant items.
- Click Save.
Associate metrics data to your asset structure in Splunk IAI
Create groups of assets in Splunk IAI
This documentation applies to the following versions of Splunk® Industrial Asset Intelligence (Legacy): 1.2.1, 1.2.2, 1.3.0