Splunk® Industrial Asset Intelligence (Legacy)

Use Splunk Industrial Asset Intelligence

Acrobat logo Download manual as PDF


Splunk Industrial Asset Intelligence reached its End of Sale on February 24, 2020.
Acrobat logo Download topic as PDF

Analyze asset metrics in Splunk IAI

Use the Analyze page to analyze metrics and alarms without having to write searches. On this page, you can select data sources to create interactive charts in the workspace. You can apply filters and aggregations to gain insight into your organization's raw metrics.

Get started

To access the Analyze page, click the Analyze icon in the left sidebar. You can also reach this page from a specific metric by clicking Analyze from the list of metrics for an asset or a group, or from any metric details page. You can also open the Analyze page by clicking on a metric in a monitor view if your IAI administrator has configured that metric to route you to the Analyze page.

Navigate the Analyze page

The Analyze page is divided into three sections:

  • The data panel on the left shows all metrics and alarms for assets and groups in your operation.
  • The workspace in the center is where you see your data represented in charts.
  • The Analysis panel on the right lists the aggregations, overlays, and filters that you can apply to raw metrics.

If your data contains more than 1000 assets, metrics, or alarms for a particular hierarchy node, you can only view the first 1000 results of each type for a particular node. Use the filter to search for the specific asset, metric, or alarm name.

Find metrics and alarms in the data panel

Depending on what you click on in the data panel, Splunk IAI displays a corresponding chart.

Item in data panel Chart behavior
Raw asset metric from the Assets tab A single-line time series chart for that asset.
You can use all of the functions available in the Analysis panel to customize the chart.
Calculated asset metric from the Assets tab A single-line time series chart for that asset.
The Analysis panel is not available for calculated metrics.
Alarm from the Assets tab A time-series chart of alarm events for that asset.
The Analysis panel is not available for alarms.
Calculated group metric from the Assets tab A single-line time series chart for that asset. If the calculation is not relevant for the asset that you selected, the chart displays an error message.
The Analysis panel is not available for calculated metrics.
Raw group metric from the Groups tab A multi-line time series chart split by assets in the group for which that raw metric is applicable.
By default, the chart displays the 500 assets with the highest values. You can use all of the functions available in the Analysis panel to customize the chart.
Calculated group metric from the Groups tab A multi-line time series chart split by assets in the group for which that calculated metric is applicable. Splunk IAI determines whether to include an asset in the chart depending on the formula of the calculated metric. If the formula includes raw group metrics that are not applicable to some assets in the group, it excludes those assets from the chart.
The Analysis panel is not available for calculated metrics.

Analyze metrics with charts

Every metric or alarm that you select from the data panel appears as a separate chart in the workspace. You can select an item more than once to compare different aggregations over the same time range in separate charts.

Each chart contains a time series based on at least one aggregation. Hover over any point on the series to see the corresponding values in the chart legend to the right of the chart.

You can take the following actions to affect all the charts displayed in your workspace:

  • Change the time range by using the time range selector at the top of the workspace.
  • Zoom in on a narrower time range for all charts by clicking and dragging on any chart.
  • Zoom back out to the time range you previously selected by clicking the back arrow on the upper left side of the workspace.
  • Refresh to include the most recent data.
  • Enable auto-refresh to reload data automatically every 10 seconds.
  • Clear all the charts from the workspace.
  • Change between a stacked and tiled display.
  • Save the currently displayed charts to a dashboard.
  • View a shared hairline on all charts by hovering over any chart.

Selections you make in the Analysis panel on the right side of the screen affect only the chart you currently have selected. You can have several charts displayed on your workspace, but only one can be selected at a time. You can manipulate individual charts in the following ways:

Action Available for...
Apply aggregations by selecting from the options in the Aggregations section of the Analysis panel. See Aggregations for details. Raw metrics
Overlay a previous time period. See Time comparisons for details. Raw metrics
Split metrics by a dimension you specify. See Splitting and stacking for details. Raw metrics
Filter the chart to include or exclude data that matches dimension values you specify. See Filters for details. Raw metrics
Open a new tab showing the Splunk search that generates the chart. Click the three horizontal dots in the upper right corner of the chart and select Open in Search. See Search for details. Raw and calculated metrics
Open a new tab showing related raw events. Click the three horizontal dots in the upper right corner of the chart and select Search Related Events. Raw metrics
Export the chart image as a PNG file. Click the three horizontal dots in the upper right corner of the chart, and then select Export as PNG. Raw and calculated metrics
Export the chart values as a CSV file. Click the three horizontal dots in the upper right corner of the chart and select Export as CSV. Raw and calculated metrics

Aggregations

Charts in the workspace display time series data based on aggregated data. The chart displays a data point representing the aggregation calculation over each time span. For calculated metrics, the span is set to what was configured when the metric was created in formula builder. For raw metrics, Splunk IAI automatically configures a span based on the time range you applied at the top of the workspace. Increasing or decreasing the time range causes the span to increase or decrease automatically. For example, if you view a raw metric chart with the time window set to "Last 1 hour", Splunk IAI sets the span to 10 seconds and calculates a single data point for every 10 second period. If you then increase the time window to "Last 24 hours", Splunk IAI sets the span to 5 minutes and calculates a single data point for every 5 minute period.

For raw metrics, you can add or change the aggregations applied. Calculated metrics created by your IAI administrator already have aggregate functions applied. If you need a different calculation for a metric, or a different span, request it from your IAI administrator.

The following aggregations are available for raw metrics:

Aggregation Description
Average (Avg) Average value from each span. This is the default aggregation.
Maximum (Max) Maximum value from each span.
Minimum (Min) Minimum value from each span.
Standard deviation (Std dev) Standard deviation for each span.
Sum Sum of values from each span.
Percentiles Percentile values from each span. View a maximum of five percentiles. Default percentiles are 90, 75, 50, 25, and 15. To remove a percentile, click the X icon next to the percentile you want to remove. To configure additional percentiles, enter a number between 1 and 100 in the box under the percentiles option.

Time comparisons

Time comparisons overlay a previous time period on a chart for a raw metric to investigate whether a time series has changed significantly between two related time ranges.

Time comparisons are not available when splitting charts by dimension.

Add a time comparison to a chart to investigate changes in your data over time:

  1. Select a chart in the workspace.
  2. In the Analysis panel, click the Compare to list under Time Comparison.
  3. Select from the list of preset time overlays, or select custom to enter the time comparison you want to use.

Time comparisons appear as dotted lines on the chart.

To remove a time comparison from a chart to show data from only the current time range, change the selection in the Compare to list to None.

Splitting and stacking

Split a chart for a raw metric by a dimension to view a separate time series for each dimension value. By default, group metrics are split by asset.

Splitting a chart by a dimension shows the values with the highest or lowest data points in the selected time range.

Splitting by dimension is not supported for charts with time comparisons or with multiple aggregations applied.

To split a chart by a dimension, perform the following steps:

  1. Select the chart you want to split by dimension.
  2. In the Analysis panel, click the Split by list.
  3. Select the dimension that you want to split.
  4. For Display, select either the Highest or Lowest spikes in data.
  5. Select the number of values to display.
  6. (Optional) Select Stack Series to show the sum of dimension values on the chart. In a stacked series, each series appears as a colored area of the stacked chart.

The chart shows a new time series for each value of the split dimension.

Because the highest and lowest dimension values are calculated based on the overall highest and lowest data points, it is possible for dimensions to appear in both a chart showing the highest values and a chart showing the lowest values. For example, if one asset in a group experienced dramatic high and low spikes in temperature over the period shown on the workspace, that asset would show up on a chart for the assets with the highest temperatures and the assets with the lowest temperatures.

To remove a dimension split, change the selection in the "Split by" list to None.

Filters

Filter data to view specific dimension values on the chart. If a chart is already split by a dimension, you can use filters to add or remove time series data for selected dimension values.

By default, metrics have an index and asset filter applied. Hover over the filter icons on the chart to see which dimensions are included. Click the filter icons to edit the applied filters, or use the Filters section of the Analysis panel.

Use wildcards from within the Filter panel to filter for a dimension with a high number of values. For information about using wildcards in the Splunk platform, see Wildcards in the Search Manual.

To filter by dimension value from the Analysis panel, perform the following steps:

  1. Select the chart you want to filter by dimension value.
  2. In the Analysis panel, under Filters, click the name of the dimension you want to filter.
  3. Select whether to Include or Exclude the specified dimension values.
  4. From the list of dimension value names, select the dimension values you want to filter on the chart.

    If the list contains more than 12 dimension values, a search bar appears. Type part or all of the dimension value name into the search bar to refine the list. Wildcards are supported.

The chart shows data for the dimension values that you selected.

If a chart is already split by a dimension, you can also filter by dimension value using the legend to the right of the chart:

  1. Select a chart already split by dimension.
  2. In the chart legend, click the name of the dimension value that you want to filter.
  3. From the options that appear, click either Keep Only or Exclude.

The chart shows data for the dimension values that you selected.

To remove dimension value filters, perform the following steps:

  1. Select the chart you want to clear filters for.
  2. In the Analysis panel, under Filters, click the name of the dimension you want to clear filters for.
  3. In the top-right corner of the list of dimension values, click the X icon.

The chart shows data for all values of that dimension.

Search

On any chart, you can access the Splunk search that generates the chart:

  1. Click the three horizontal dots in the upper right corner of the chart and select Open in Search.
  2. Go to the new tab that opens in your browser to view the search.

The new tab is in the Search & Reporting App. In this app, you can modify the search, run additional searches, and create dashboards and reports built on your raw data. For more information, see About the Search app in the Splunk Enterprise Search Manual.

Troubleshooting

If you see a message that says "This calculated metric depends on metrics that are not applicable to the selected asset.", you are attempting to display a chart for a calculated metric that an asset inherits from a group, but that calculated metric is dependent on a metric that isn't applicable to this asset. For example, your IAI administrator creates a group for all of the air conditioners in your industrial environment. Half of the air conditioners have a raw metric called "temp" and the other half of the air conditioners have a raw metric called "temperature." If the IAI admin creates a calculated metric called "Tmp in Celsius" that converts the value for "temperature" into Celsius, all of the assets in the group inherit that calculated metric. However, if you try to display the Temperature in Celsius chart on the Analyze page for an asset that has the temp raw metric instead of the temperature raw metric, you see the error "This calculated metric depends on metrics that are not applicable to the selected asset." because that asset doesn't have a temperature metric to use in the calculation.

If you see other error messages when you try to display a chart, contact your Splunk IAI administrator.

Here are other common reasons that charts fail to display:

  • The formula for a calculated metric is invalid.
  • The time span for a calculated metric is invalid.
  • Data types included in the formula for a calculated metric aren't all numeric.
  • Data is in an index that the signed-in user does not have access to read.
  • The data flow stopped, so there is no data to display.
Last modified on 15 March, 2019
PREVIOUS
Browse assets, groups, and metrics in Splunk IAI 		 

This documentation applies to the following versions of Splunk® Industrial Asset Intelligence (Legacy): 1.2.1, 1.2.2, 1.3.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters