Solved: How to chart field values by another field _time?

macadminrohit · ‎03-12-2018

Hi,

I am running this query:

index=servers sourcetype=json Name=* Version=* Id=* | dedup _raw |fillnull bdy.ex.Msg value="NullBdyExMsg"|chart count over Name bylevel | eval ratio=((Critical+Error)/Information)

I want a line chart visualization which shows different lines for Name field and _time on X-axis. I tried all the possible options but it doesn't work.

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

View solution in original post

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

How to chart field values by another field _time?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio