Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unable to get value on x-axis
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to get value on x-axis
twh1
Communicator
02-25-2019
09:17 AM
I have a tabular data like below.
**EventTime SQL CPU Utilization Other Process CPU Utilization Total CPU Utilization**
2019-02-24 10:00:48.0 0 3 3
2019-02-24 10:01:48.0 0 2 2
2019-02-24 10:02:48.0 0 1 1
2019-02-24 10:03:48.0 0 1 1
2019-02-24 10:04:48.0 0 2 2
2019-02-24 10:05:48.0 0 2 2
2019-02-24 10:06:48.0 0 2 2
2019-02-24 10:07:48.0 0 3 3
2019-02-24 10:08:48.0 0 5 5
2019-02-24 10:09:48.0 0 3 3
i tried to use the line chart and print EventTime on X-axis and rest values on Y-axis. I am able to get the values on Y-axis but X-axis not displaying the data of EventTime field. I used below query.
index=main sourcettype="SQL" host=ABC | eval Total_CPU_Utilization=(SQLCPUUtilization+OtherProcessCPUUtilization) | chart latest(SQLCPUUtilization) as "SQL CPU Utilization", latest(OtherProcessCPUUtilization) as "Other Process CPU Utilization", latest(Total_CPU_Utilization) as "Total CPU Utilization" by EventTime
Do I need to make any changes in my query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2019
11:19 PM
Like this (the key is to convert EventTime to _time😞
|makeresults | eval raw="EventTime=2019-02-24T10:00:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=3,Total_CPU_Utilization=3 EventTime=2019-02-24T10:01:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=2,Total_CPU_Utilization=2 EventTime=2019-02-24T10:02:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=1,Total_CPU_Utilization=1 EventTime=2019-02-24T10:03:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=1,Total_CPU_Utilization=1 EventTime=2019-02-24T10:04:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=2,Total_CPU_Utilization=2 EventTime=2019-02-24T10:05:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=2,Total_CPU_Utilization=2 EventTime=2019-02-24T10:06:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=2,Total_CPU_Utilization=2 EventTime=2019-02-24T10:07:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=3,Total_CPU_Utilization=3 EventTime=2019-02-24T10:08:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=5,Total_CPU_Utilization=5 EventTime=2019-02-24T10:09:48.0,SQL_CPU_Utilization=0,Other_Process_CPU_Utilization=3,Total_CPU_Utilization=3"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| rex mode=sed "s/T(\d)/ \1/"
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval _time = strptime(EventTime, "%Y-%m-%d %H:%M:%S")
| fields - EventTime
| timechart fixedrange=f span=1m avg(*) AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ashajambagi
Communicator
02-26-2019
01:22 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
02-26-2019
01:36 AM
@ashajambagi ,
My query is working fine. But when I switch to visualization tab I am unable to see EventTime field value on X-axis. I am currently using Splunk 7.1.6 .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ashajambagi
Communicator
02-26-2019
02:53 AM
Can you share a screenshot?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
02-26-2019
03:29 AM
I am unable to add image for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ashajambagi
Communicator
02-26-2019
04:34 AM
try putting it as answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vinod94
Contributor
02-25-2019
11:39 AM
Hi dyude @twh1 ,
Check the field name of EventTime and copy as it is.
Can you try this,
index=main sourcettype="SQL" host=ABC | eval Total_CPU_Utilization=("SQL CPU Utilization"+"Other Process CPU Utilization")
|chart latest("SQL CPU Utilization") as "SQL CPU Utilization", latest("Other Process CPU Utilization") as "Other Process CPU Utilization", latest(Total_CPU_Utilization) as "Total CPU Utilization" by EventTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
02-26-2019
12:43 AM
hi @vinod94 ,
I have copied the field name from event only. I am getting data in statistics tab properly. But while checking in visualization tab, not getting value on X-axis.
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
