Re: Help with simple timechart query

john_byun · ‎06-23-2014

I have a list of events that have a specific value associated with each event. I want to create a line graph of those values. How do I do this?

The elapsed time between each event is not consistent, so I want each event to be logged as a data point on my graph to be able to see the trend over time.

MuS · ‎06-24-2014

Hi john.byun,

timechart will do aggregation on the events, if you don't want aggregation use chart or stats like this:

fieldvalue | chart values(fieldvalue) AS fieldvalues over _time
fieldvalue | stats values(fieldvalue) AS fieldvalues by _time

hope this helps ...

cheers, MuS

MuS · ‎06-25-2014

Please mark this as answered, if it worked for you - thx

john_byun · ‎06-24-2014

Perfect! Thank you very much.

john_byun · ‎06-23-2014

Here is what my data looks like below. I want to create a line chart with time on the x-axis and the fieldvalue on the y-axis.

Time Field Value
12:15 90
12:25 85
1:00 70
1:30 65
2:30 95
4:00 90

john_byun · ‎06-23-2014

Sorry,

fieldvalue | timechart avg(fieldvalue)

grijhwani · ‎06-23-2014

I don't think that is a complete search command.

john_byun · ‎06-23-2014

My current search is simply "timechart avg(fieldvalue)", but this does not give me the results that I want.

I do not want an average of the values.
I want each event to be a datapoint rather than giving me a single datapoint every 30 minutes.

grijhwani · ‎06-23-2014

As I always say, show us an example of your search, don't describe it.

Help with simple timechart query

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification