Splunk Search

Timechart results in to week buckets - keeps forcing monthly

999chris
New Member

Splunk can be pretty mean at times and do things that have no sense. Im trying to create a chart that shows a few percentages from data going back 6 months which is plopped in to week buckets. The below query is only creating monthly buckets though...

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
| bin _time span=7d
| timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

All help is appreciated greatly.

Tags (1)
0 Karma
1 Solution

cmerriman
Super Champion

can you either remove the bin _time or make the timechart into a chart and see if that works?

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

OR

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | bin _time span=7d
 | chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f 

View solution in original post

0 Karma

999chris
New Member

Cheers cmerriman.

The latter option worked. Am I right in saying its bizarre that my original query was duff?

0 Karma

mattymo
Splunk Employee
Splunk Employee

did you try moving span ?

 | timechart span=7d mean(percent) as percent by WORKFLOWSTATUSID usenull=f 

If I recall correctly, order matters here

- MattyMo

jkat54
SplunkTrust
SplunkTrust

That was my first thought too

0 Karma

cmerriman
Super Champion

can you either remove the bin _time or make the timechart into a chart and see if that works?

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

OR

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | bin _time span=7d
 | chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f 
0 Karma

jkat54
SplunkTrust
SplunkTrust

What happens if you change 7d to 1w?

0 Karma

999chris
New Member

Here is an image of the results:

alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...