Splunk Search

Need to populate recent time value at the column left and oldest time towards right using chart command

arunrajamani
New Member

Hello Experts,

We had created splunk dashboard for monitoring automation tests which is triggered at Jenkins. Below is the dashboard view which we created and kindly help here in getting the time field to show latest value in the left and currently it was showing oldest value in the left.

Kindly help here in sharing your valuable inputs.

Cheers,
Arun

Tags (2)
0 Karma

to4kawa
Ultra Champion
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2d@m"), relative_time(_time,"@m"))
| makecontinuous span=1m
| eval steps="step".(random() % 7 + 1)
| bin span=3h _time
| timechart limit=0 count by steps
| eval step=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") 
| table step*
| reverse
| transpose 0 header_field=step column_name=steps

Hi folks,
try reverse

0 Karma

niketn
Legend

@arunrajamani can you please refer to one of my older Answer on similar lines
https://answers.splunk.com/answers/724720/how-can-i-change-from-descendant-to-ascendant-in-t.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

arunrajamani
New Member

Hello nike,

Thanks for your reply.
I tried this but not working.
I need a solution with respect to chart command only so that my view shouldn't change.

Kindly help!!

0 Karma

arunrajamani
New Member

Steps 19/11-15:00 19/11-21:00 20/11-09:00 20/11-12:00
Step1 P P P F
Step2 P P P S
Step3 P P P S
Step4 P P P S
Step5 P P P S
Step6 P P P S
Step7 P P P P

0 Karma

arunrajamani
New Member

Hello Miller,

I tried reverse command aswell but not worked. Kindly help me some other way using the chart command

0 Karma

rmmiller
Contributor

Does the reverse command help you accomplish this?

0 Karma

arunrajamani
New Member

Query used:

Below is the query used to generate this dashboard.

index=splunk
|spath ​
|rename triggered-at as StartTime​
|spath path=scenarioData{} ​
| mvexpand scenarioData{} ​
| spath input=scenarioData{} ​

|rename environment as Environment, "business scenario" as BusinessScenario,steps{}.fullName as Steps,steps{}.status as Status steps{}.steptime as StepTime steps{}.stepduration as Duration evidenceURL as Evidence​

|eval string1=mvzip(Steps,Status,"sep_")​
|mvexpand string1​
|rex field=string1 "(?.)sep_"​
|rex field=string1 "sep_(?.
)"​

|eval Status = if('Status'="passed","P",if('Status'="failed","F",if('Status'="Pass","P",if('Status'="Fail","F",if('Status'="Skipped","S",if('Status'="skipped","S",'Status'))))))​
​|eval epoche=strptime(StartTime,"%Y-%m-%dT%H:%M:%SZ")​
|eval c_time=strftime(epoche,"%d/%m-%H:00")​
| search Environment="sit" AND BusinessScenario="BusinessScenario1" AND application="" AND type=""​​
| table Steps Status c_time StepTime Duration Evidence​
| chart values(Status) by Steps,c_time

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...