Splunk Search

chart time based

surekhasplunk
Communicator

alt text

Hi ,

I want a chart exactly like the image attached.

My data is input lookup csv file .
My time filed name is "Opened"
Data Global * field name is "Assignment group"

Please help me with the query.

I tried something like this but this is not what i want.
index=level3 host=Test | chart count over Opened by "Assignment group"

Thanks

Tags (2)
1 Solution

JDukeSplunk
Builder

My first stab at it would be something like this. This will give you 14 days, including yesterday, but not today.

index=level3 host=Test earliest="-14d@d" latest="-0d@d" | timechart span=1d limit=20 count Opened by "Assignment group"

Then in the visualations tab change the format to Column, and Format, stacked.

alt text

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Are the values in the "Opened" field epochtime values? ie integer numbers of seconds since 1/1/1970, or are they string formatted times. If the latter can you give an example value? Long story short you need to rename the time field to be "_time" and then convert it to epochtime format if it's not already. Then timechart will happily work with it just as though the rows were coming from regular indexed events.

0 Karma

JDukeSplunk
Builder

My first stab at it would be something like this. This will give you 14 days, including yesterday, but not today.

index=level3 host=Test earliest="-14d@d" latest="-0d@d" | timechart span=1d limit=20 count Opened by "Assignment group"

Then in the visualations tab change the format to Column, and Format, stacked.

alt text

0 Karma

surekhasplunk
Communicator

Now am getting results with the below query but am unable to sort it date wise rather it sorts numerically.
I have two date fields with values like this:

Opened = 09/27
Opened D = 09/29/16

Figure1

index=level3 host=Test | eval _time=strptime("Opened D","%Y-%m-%d %H:%M:%S.%N")|chart count OVER "Opened D" BY "Assignment group" | sort -"Opened D"

Figure2alt text

One more thing in the x-axis instead of “Opened D” how can I get the actual dates ?
If I enable event sampling only then am getting the dates if I slect “No event sampling” then the dates aren’t reflecting. How to solve this ?
And if I am enabling event sampling am missing some dates data also.

0 Karma

JDukeSplunk
Builder

I think you're going to have to use timechart instead of chart.

http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart

Maybe..

...|timechart span=1d count(Opened) by "Assignment group"

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...