How to make a timechart/graph from a search result...

anirban_nag · ‎12-22-2015

I have some events with message field as Bar Hello.., Bar Hi..., Bar Foo... and so on. I do not know beforehand how many this type of message are there. It is purely dynamical. But this messages are generated one at a time and timestamp of events with this messages are different. Now I want to show the search results as timechart. Right now I have this

index=baz host=server1 message="Bar*" | table host message _time | sort by -_time

dcharboneau_spl · ‎12-23-2015

You should just need the timechart command.

See Below:

index=baz host=server1 message="Bar*" |timechart count(message) by message usenull=f useother=f

anirban_nag · ‎12-24-2015

It would be good if in the graph it is a single line with different color for different type of message.

dcharboneau_spl · ‎12-28-2015

Not sure how that would work. A single line for x number of message types won't work as a visualization. you could do a Stacked column Chart view instead of a line chart. Above should produce multiple lines each a different color and one line for each message type over time.

cmccormick · ‎12-22-2015

Are you wanting to know how many of the messages you are receiving for a given timeframe?

anirban_nag · ‎12-22-2015

No I don't want to know how many but I want to create a line chart based on the messages and their frequency. Though I think I got close to it index=baz host=server1 message="Bar*" | table host message _time | sort by -_time | timechart span=2m count by message usenull=f. Now it would be good if in the graph it is a single line with different color for different type of message.

How to make a timechart/graph from a search result?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases