Solved: using a different time base on timechart

fk319 · ‎12-09-2010

I would like to use a different field than _time as my time base for timechart.

I build a stats table, and in it I use "max(_time) as EndTime", after this point, I lose the value of _time and cannot use timechart. If I use chart, then the missing times get squashed out. What I would like to do, is after the stats command, use timechart with a the new compute "_time".

gkanapathy · ‎12-09-2010

Just don't use timechart and use chart instead. timechart f(x) by y is basically the same as chart f(x) by _time,y, so just use that with a different field instead of _time. And generally

... | timechart span=s f(x) by y

is the same as

... | chart f(x) _time span=s, y

Alternatively, you could just use max(_time) as _time in your query.

View solution in original post

gkanapathy · ‎12-09-2010

Just don't use timechart and use chart instead. timechart f(x) by y is basically the same as chart f(x) by _time,y, so just use that with a different field instead of _time. And generally

... | timechart span=s f(x) by y

is the same as

... | chart f(x) _time span=s, y

Alternatively, you could just use max(_time) as _time in your query.

gkanapathy · ‎12-10-2010

Use the makecontinuous command on the field before piping to chart

fk319 · ‎12-10-2010

Chart does not fill in the empty '_time' values, so the holes in the data gets dropped out and the data is squashed.

using a different time base on timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor