Refine your search:

is it possible to plot earliest and latest value of field values. or at least earliest time in x axis and field values in y axis. I have tried chart command as mentioned below

index=main source=sourcefilename.txt |chart earliest(PC_time) over field_PC

here, PC_time and field_PC are extracted fields and field_PC have nearly 26 values. PC_time is the time of the events occured. i am getting a table when i am using the search command

index=main source=sourcefilename.txt" | stats earliest(PC_time) AS startingtime,latest(PC_time) AS Endingtime by field_PC

with 3 columns field_PC, earliest(PC_time) and , latest(PC_time), but with the first command I am getting chart plotted field_PC values in X axis but Y axis values are not related to my search result. how to debug the issue?

please help me to solve this issue
thanks in advance

asked 02 Nov '12, 01:32

smolcj's gravatar image

accept rate: 58%

edited 02 Nov '12, 08:32

lguinn's gravatar image

lguinn ♦

Is the Splunk timestamp (that appears to the left of the events in a search) the same value as PC_time?

(02 Nov '12, 08:37) lguinn ♦

yup, both are same, just to be friendly with splunk regex i extracted it separately.

(05 Nov '12, 21:16) smolcj
Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 02 Nov '12, 01:32

Seen: 647 times

Last updated: 05 Nov '12, 21:16

Copyright © 2005-2014 Splunk Inc. All rights reserved.