Convert Pie Chart to Timechart - Is it possible?

freephoneid · ‎10-03-2011

Hi,

I'm displaying Pie chart with below query.

index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | stats last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | fields - first_error last_error

The Pie chart shows different actions & its error counts.

How can I convert above query to display Timechart so that time will be on X-axis & Y-axis will have errorCount & Legend will be different actions?

Is that even possible?

Thanks!

woodcock · ‎05-29-2015

Try this:

index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | bucket _time span=1h | stats first(_time) AS time last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | chart error_count BY time,action

Change the span=1h to whatever time-basis you would like for your X-axis legend.

Convert Pie Chart to Timechart - Is it possible?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!