Need help in creating timechart query - Splunk Community

Splunk Search

I have hourly data for 30 days on execution of jobs. I wanted to create a timechart based on elapsed time. could you please help me through. my query:

| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime

Could you please help?

I think you should try something like this

| inputlookup xxxx.csv |eval _time=strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d count

OR

| inputlookup xxxx.csv |eval _time=time | bin _time span=1d | stats count by _time

let me know if this helps!

HI Mayur,

Thanks for your response. But, both the solution are not working. Data is not being populated in the first place.

Thanks

try this,

 | inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")  | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)

Hi @splunker12er,

Thanks for your response. I don't get any error, but is not being populated

try this,

| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")  | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)

try this:
| inputlookup xxxx.csv |eval _time = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime

Hi @adonio,

Thanks for your response.I'm getting this error while running the your solution:

"Error in 'timechart' command: The specifier 'as' is invalid. It must be in form (). For example: max(size)."

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...