Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Convert Pie Chart to Timechart - Is it possible?

freephoneid
Path Finder
‎10-03-2011 11:34 AM

Hi,

I'm displaying Pie chart with below query.

index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | stats last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | fields - first_error last_error

The Pie chart shows different actions & its error counts.

How can I convert above query to display Timechart so that time will be on X-axis & Y-axis will have errorCount & Legend will be different actions?

Is that even possible?

Thanks!

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-29-2015 02:03 PM

Try this:

index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | bucket _time span=1h | stats first(_time) AS time last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | chart error_count BY time,action

Change the span=1h to whatever time-basis you would like for your X-axis legend.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...