How to create a line graph where for each day, it ...

alanxu · ‎08-21-2015

Hello,

I extracted the time with the variable TIME. I am trying to create a line graph where it shows the latest time. My search right now is

host=... source=... | timechart max(TIME) by Date

However, my y-axis' values are odd. It goes from 7,000 to 10,000, but the x-axis is correct with the dates.

woodcock · ‎08-27-2015

Assuming that TIME is actually duration, you can use the tostring to convert to seconds like this:

host=... source= | eval DURATION=tostring(TIME,"duration") | timechart max(DURATION) by Date

alanxu · ‎08-27-2015

When I do verbose events show up but no visualizations.

alanxu · ‎08-27-2015

I dont get any results with your line. When I remove timechart there is events. But once I add timechart max(duration) by date nothing vcomes up

somesoni2 · ‎08-21-2015

In What format you're extracting the TIME value? Can you run something like this and share result?

 host=... source=... | head 1 | table TIME

alanxu · ‎08-21-2015

Its really odd that the table is perfect, but the line graph is always wrong

somesoni2 · ‎08-21-2015

It could be because you're plotting string values in Y-axis. You want to plot the max time of the day in HH:MM:SS format for each day (last 7 day)?

alanxu · ‎08-21-2015

Oh they are string values?

somesoni2 · ‎08-21-2015

I would need your full current query to confirm the same..

alanxu · ‎08-21-2015

I can send you a picture of the table that comes up

somesoni2 · ‎08-21-2015

That will work too. somesh.soni@gmail.com

alanxu · ‎08-21-2015

Look at the second email instead

somesoni2 · ‎08-21-2015

Yes, that's the work around, instead of HH:MM:SS in string format, we can convert it to HH.MM (HH dot MM) i.e. decimal value which can be plotted . I know it would not look good for Tables but decent work around for graphs. Do you intent to put this in dashboard??

If this workaround is acceptable to you, I can tell the option to convert your already existing TIME field to decimal value.

alanxu · ‎08-21-2015

Instead of _time cant I just use TIME?

somesoni2 · ‎08-25-2015

Your TIME is again a string right? So, to get a decimal out of it OR to convert it to decimal, you can try something like this

 | eval TIME=tonumber(replace(TIME ,"^(\d+):(\d+)",\1.\2")) | timechart max(TIME) as TIME by Date

somesoni2 · ‎08-21-2015

Try query like this and let me know if TIME and TIME_decimal are similar (e.g. 02:47:04 will show as 2.47)

your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | table _time TIME TIME_decimal

somesoni2 · ‎08-21-2015

And if this looks correct try this

your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | timechart max(TIME_decimal) as TIME by Date

alanxu · ‎08-21-2015

yeah into a dashboard. But I feel the values are offf.. IF you look at the email I sent you the values should be like 2.3 1.5 if anything.. But isntead I am get nines

alanxu · ‎08-21-2015

sent the picture!

somesoni2 · ‎08-21-2015

As suspected, there are string values (propably output of command like | eval TIME=strftime(_time ,"%H:%M:%S") . The workaround that you can try would be like this

 | eval TIME=tonumber(strftime(_time ,"%H.%M")) | timechart max(TIME) as TIME by Date

alanxu · ‎08-21-2015

I am trying to have..
y-axis have a range of times
x-axis have dates

then it will be plotting the latest time for each date.

How to create a line graph where for each day, it displays the latest time?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!