Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display millisecond data for timechart?

ToniSchulz
Explorer
‎03-09-2015 04:31 AM

Hello everyone,

I assume this is a real beginner question, but I must have made a mistake in my way of operating data within Spunk:

I have process data from a milling process, which was just 3 seconds long, but hast 2000 measuring points in milliseconds. When I now want to have a timechart for this three seconds, it just shows one average value for each second, but not clumn with all values. I assume this is due to the fact that the timespan is just one second.

My values look like this:

2015-02-17 14:06:21

-0,115261 (tension in N)
-0,230522 (each value hier is 14:06:21,xxx in reality)
-0,345783
-0,461044
-0,576305
...
2015-02-17 14:06:22
-0,115261
-0,230522
-0,345783
....

When I just do a normal seach like
index=* sourcetype=csv| timechart values(Bending_Moment_X) I just get the three seconds with an empty chart. How can I tell the chart that I need a value for each millisecond?

Thanks a lot in advance!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-09-2015 05:41 AM

I see two issues here. One is the actual timing, and the other is the use of values() for numeric data in a timechart. Try this over your three-second time range:

... | timechart span=10ms avg(Bending_Moment_X)

That should give you 300 buckets, each representing ten milliseconds with the average bending moment for that period.

Note, the standard chart will only render timestamps down to the second, so in the 10ms example you will have 100 data points that display the same time. To get around this you will need to use more customized charting.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-09-2015 05:41 AM

I see two issues here. One is the actual timing, and the other is the use of values() for numeric data in a timechart. Try this over your three-second time range:

... | timechart span=10ms avg(Bending_Moment_X)

That should give you 300 buckets, each representing ten milliseconds with the average bending moment for that period.

Note, the standard chart will only render timestamps down to the second, so in the 10ms example you will have 100 data points that display the same time. To get around this you will need to use more customized charting.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-10-2015 07:10 AM

Great to hear!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-09-2015 07:03 AM

The values you posted in your question suggest German style numbers with commas as decimal separator, Splunk expects English style numbers with points as decimal separator

Reply
Solved! Jump to solution

ToniSchulz
Explorer
‎03-10-2015 05:44 AM

It now works perfectly!
Huge thank you at martin_mueller!

Reply
Solved! Jump to solution

ToniSchulz
Explorer
‎03-09-2015 06:58 AM

The timechart span is now peferfect, thanks for that!
But unfortunatly the avg function does not display the values of the field (range is betwenn -5n and +5N) but seems to sum up the number of measurements. The command 

...| eval Bending_Moment_X=abs(Bending_Moment_X) | timechart span=10ms avg(Bending_Moment_X)

results in just having the value 0 for euch Bending Moment. Where is the mistakt in that?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...