Splunk Search

How create line chart using Time and Date

kingwaras
Engager

Hi Guys,

I need your help.
I have this structured log:

SERVICE,END_TIME,DATA,TIME
Job_Name,10/12/2018 07:14,10/12/2018,07:14
Job_Name,12/12/2018 07:14,12/12/2018,07:14
Job_Name,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11

I need to create this graph where there is Time (Hour) in Y-axis and Date (Days) in X-axis:

alt text

Which is the correct way?

Thanks in advance for the help.

0 Karma

dmarling
Builder

As far as I am aware, you can't make the Y axis in Splunk be non-numeric. It will split the values into different lines for each timestamp you have there instead of a single line.

Documentation: https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/LineAreaCharts#Data_formatting

| makeresults count=1 
| eval data="Job_Name,10/12/2018 07:14,10/12/2018,07:14
Job_Name,12/12/2018 07:14,12/12/2018,07:14
Job_Name,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11" 
| fields - _time 
| rex field=data max_match=0 "(?<data>[^\n\e]+)" 
| eval data=trim(data) 
| mvexpand data
| rex field=data "(?<SERVICE>[^\,]+),(?<END_TIME>[^\,]+),(?<DATA>[^\,]+),(?<TIME>[^\e]+)"
| eval DATA=strftime(strptime(DATA, "%d/%m/%Y"), "%d-%b-%y")
| eval TIME=strftime(strptime(TIME, "%H:%M"), "%H:%M:%S")
| eval count=1
| xyseries DATA TIME count

alt text

A timechart would probably be more beneficial, but it won't have that timestamped Y axis and you would need to hover over the visualization to see the minute:

| makeresults count=1 
| eval data="Job_Name,10/12/2018 07:14,10/12/2018,07:14
Job_Name,12/12/2018 07:14,12/12/2018,07:14
Job_Name,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11" 
| fields - _time 
| rex field=data max_match=0 "(?<data>[^\n\e]+)" 
| eval data=trim(data) 
| mvexpand data
| rex field=data "(?<SERVICE>[^\,]+),(?<END_TIME>[^\,]+),(?<DATA>[^\,]+),(?<TIME>[^\e]+)"
| eval _time=strptime(DATA.TIME, "%d/%m/%Y%H:%M")
| timechart span=1m count
| search count>0

alt text

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...