Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is timchart not working on lookup csv data?

venky1544
Builder
‎09-12-2023 04:44 AM

Hi All

i ahve a lookup file .csv where i have timestamp Name and USEDGB values  i have been trying to run a time chart to see the total USEDGB per day Both lookup definition and lookup table file has app permissions 

|inputlookup ABC_DISK_UTILIZATION.csv |eval  _time=Timestamp |timechart span=24h sum(USEDGB)  

the result only shows time but no values of USEDGB can you please help 

Timestamp NAME USEDGB
12/08/2023 22:04 RECO_A 48.61
12/08/2023 13:04 RECO_B 46.21
12/08/2023 03:04 RECO_C 46133.89
11/08/2023 20:01 RECO_A 164.11
11/08/2023 18:01 RECO_B 48.61
11/08/2023 16:01 RECO_C 46.21
10/08/2023 22:00 RECO_A 45327.22
10/08/2023 17:00 RECO_B 193.4
10/08/2023 08:00 RECO_C 48.61
09/08/2023 21:00 RECO_A 46.21
09/08/2023 13:00 RECO_B 45205.72
09/08/2023 06:00 RECO_C 132.57
08/08/2023 19:00 RECO_A 48.61
08/08/2023 12:00 RECO_B 46.21
08/08/2023 10:00 RECO_C 45203.77
07/08/2023 22:00 RECO_A 132.56
07/08/2023 14:00 RECO_B 48.61
07/08/2023 07:00 RECO_C 46.21
06/08/2023 22:04 RECO_A 45199.08
06/08/2023 13:04 RECO_B 123.85
06/08/2023 03:04 RECO_C 48.61
05/08/2023 20:01 RECO_A 46.21
05/08/2023 18:01 RECO_B 45196.12
05/08/2023 16:01 RECO_C 117.4

 

venky1544_0-1694519142205.png

 

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2023 05:11 AM

The timestamp commands requires the _time field, which must be in epoch form.  Convert Timestamp into _time using strptime().

|inputlookup ABC_DISK_UTILIZATION.csv 
|eval _time=strptime(Timestamp, "%d/%m/%Y %H:%M") 
|timechart span=24h sum(USEDGB)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

venky1544
Builder
‎09-12-2023 06:03 AM

Hi @richgalloway 

did tried that not working 😞

 

venky1544_0-1694523790391.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-12-2023 06:48 AM

There doesn't appear to be anything wrong with your search - perhaps it is your data. Please share some actual rows from your csv.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...