Re: displaying chart

shreeCS · ‎09-11-2013

Hi,

I have csv file uploaded on to splunk.Here is the sample entries

Intime Outtime
8:33  17:39
8:38  17:40
8:33  19:28
8:32  17:37

Here i created calculated field which gives the difference between Intime and outtime.
Expected output is

Intime Outtime  durationHrs
8:33  17:39      9.100
8:38  17:40      9.033
8:33  19:28      10.19
8:32  17:37      9.083

The query is given below :

host="abc" | convert mstime(Outtime) AS otime | convert mstime(Intime) AS itime |eval durationHrs=(otime - itime)/60 | Timechart count by durationHrs

Here i want to generate a chart in such a way that my Y-axis should be durationHrs and X-axis should be time but in the above query,in Y-axis i'm getting count not the durationHrs values.
How this can be done? Do we need to use different function other than count in a timechart,if yes what needs to be used/done?

Thank you

MuS · ‎09-12-2013

Hi shreeCS

well timechart has time on the X-axis by default. Your problem is that you count the numbers of events that contain a field named durationHrs, instead of displaying the values of this field.
To achieve what you want, change your search to something like this:

 host="abc" | convert mstime(Outtime) AS otime, mstime(Intime) AS itime |eval durationHrs=(otime - itime)/60 | timechart values(durationHrs) AS myDuration

hope this helps.....

cheers, MuS

shreeCS · ‎09-12-2013

Hi MuS,Whatever you suggested is working fine.
Thanks!!

displaying chart

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk