https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129252#M26533 <P>does your event have a timestamp? Do all the events contain all those fields? Just those fields? more? Less?</P> Sun, 19 Jul 2015 21:34:12 GMT rsennett_splunk 2015-07-19T21:34:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129249#M26530 <P>Here is the sample data.</P> <P>RED: 2086<BR /> GREEN: 1579<BR /> WHITE: 159<BR /> PINK: 348<BR /> ORANGE: 0</P> Sat, 18 Jul 2015 23:56:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129249#M26530 pavan257 2015-07-18T23:56:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129250#M26531 <P>Is this 1 event or 5?</P> Sun, 19 Jul 2015 05:28:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129250#M26531 woodcock 2015-07-19T05:28:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129251#M26532 <P>This was one event.</P> Sun, 19 Jul 2015 13:33:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129251#M26532 pavan257 2015-07-19T13:33:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129252#M26533 <P>does your event have a timestamp? Do all the events contain all those fields? Just those fields? more? Less?</P> Sun, 19 Jul 2015 21:34:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129252#M26533 rsennett_splunk 2015-07-19T21:34:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129253#M26534 <P>Yes, I do have time stamp and all the events will have all these fields with different values.</P> Sun, 19 Jul 2015 22:21:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129253#M26534 pavan257 2015-07-19T22:21:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129254#M26535 <P>This should do it:</P> <PRE><CODE>... | rex max_match=0 field=raw "(?&lt;lineData&gt;[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?&lt;color&gt;[^:]+):\s*(?&lt;count&gt;\d+)" | timechart span=1h sum(count) AS count BY color </CODE></PRE> <P>This makes your X-axis interval <CODE>1 hour</CODE>.</P> Sun, 19 Jul 2015 22:45:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129254#M26535 woodcock 2015-07-19T22:45:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129255#M26536 <P>No. this query just displaying the events but not the visualization, all these events come through a custom shell script which we made output as "sourcetype = weblogic_stdout" not sure, if that matters here.</P> Sun, 19 Jul 2015 23:59:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129255#M26536 pavan257 2015-07-19T23:59:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129256#M26537 <P>After you run the search, in the UI click on the <CODE>Visualization</CODE> tab and create what ever visualization you need.....</P> Mon, 20 Jul 2015 00:04:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129256#M26537 MuS 2015-07-20T00:04:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129257#M26538 <P>I know, but this query was not representing any timechart to visualize.</P> Mon, 20 Jul 2015 00:10:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129257#M26538 pavan257 2015-07-20T00:10:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129258#M26539 <P>You are going to have to replace <CODE>...</CODE> with your base search. I tested this on your sample data: it works just fine.</P> Mon, 20 Jul 2015 02:43:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129258#M26539 woodcock 2015-07-20T02:43:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129259#M26540 <PRE><CODE>... | rex max_match=0 field=_raw "(?[^:]+:\s*\d+)" | mvexpand lineData | rex field=_raw "(?[^:]+):\s*(?\d+)" | timechart span=1h sum(count) AS count BY color </CODE></PRE> <P>with this query I am able to see only "RED", but I want to see other lines (GREEN, WHITE...) to be charted.</P> Mon, 20 Jul 2015 23:38:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129259#M26540 pavan257 2015-07-20T23:38:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129260#M26541 <P>After further cleanup of y event.. this worked perfectly. Thanks Woodcock.</P> Tue, 21 Jul 2015 01:54:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-query-key-values-and-draw-timechart/m-p/129260#M26541 pavan257 2015-07-21T01:54:54Z