How to change the TimeChart values on the basis of... - Splunk Community

Dashboards & Visualizations

Hi Everyone,

I am using Timechart on two same queries but their sorting is different.But still the same values are coming for both the queries. Can someone guide me why.

Below are my queries:

index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d")
|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime

index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d")
|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort TotalExecTime

Can someone guide me where I am wrong.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024 | 11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...