topic Re: How to create a line chart without timestamp field? in Getting Data In

How to create a line chart without timestamp field?

mik990 — Tue, 27 Aug 2019 13:33:15 GMT

Hi,
I have to compare a search and a List.csv, so I did the following search and all works well:

The problem is that I have to create a line chart about this count, but I cannot use the timechart as usual because in the result the timestamp field is not valorized.
Does anybody know if it is possible (and eventually how) to use the _time value to find out a solution?

Hoping to have been clear enough, I thank you in advance.

Regards.

Re: How to create a line chart without timestamp field?

Sukisen1981 — Tue, 27 Aug 2019 18:46:42 GMT

not very clear. I can see that you choose not to include _time in the stats, is it because there is no such field in the csv?
if so, then how do you want your chart to look, what should be the x-axis?

Re: How to create a line chart without timestamp field?

solarboyz1 — Tue, 27 Aug 2019 19:34:43 GMT

If you have another field containing the time, you can use chart:

| chart count over your_time_field by hostname

However, this does will not group the events by the hour, day, etc.. it will create a value for each unique timestamp in that field.
the bin command can do that:

| bin span=15m your_time_field
| chart count over your_time_field by hostname

As long as your time field is recognized as a time. IF not you may need to use strptime/strftime to get it to a recognized time.

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 07:30:04 GMT

Hi Sukisen and thank you for the response, the csv file is only a list of Server that i must verify are sending logs, so basically the result that i have is a list without the timestamp. I would like that the X axis contains the time of the search, for example if I do a search every 2h i need a line chart with every search value.
I hope this makes it clearer.

Thanks

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 07:40:16 GMT

Thank you solarboyz,
i don't have a timestamp field in my csv file, as i told to Sukisen i need a line chart that shows the result of the query every x amount of time, rather simple as a concept but struggling to get the result.
In the following pic you can see the logs that i receive as a result, without a timestamp field:

could i use the Time field somehow to reach the goal?

Thank you.

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 08:04:25 GMT

hi @mik990
say at 8 am you run this and get a count of 3
at 12 pm you run this get a count of 5
how do you want your chart, a line chart with 2 points 3 and 5 in the y axis and 8AM and 12PM in the x axis?

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 08:27:09 GMT

Hi @Sukisen1981 you get the point! I need a chart that show the result of the query every "x" time, likely the timechart function.

Thank you

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 08:32:29 GMT

but how do you propose to get the times, 8AM and 12 PM?
Its not part of your lookup csv, is it being captured somewhere in the index?
When you run the search at 12PM how will you know what the count WAS at 8AM?
Is it possible that your serverlist index has some timestamps?

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 10:03:04 GMT

I would like to use the time of the search itself, in fact the time that interests me is the time in the moment of the search.
Can't I make sure I get the query results at different times in the line chart?
The servelist file does not have a timestamp because it simply represents the list of servers that I should find in case everything works, in fact the goal of the check is to always have as a result 0 (no server missing)

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 10:07:50 GMT

i think you need to provide a mock screen snap of what you need.
' in fact the time that interests me is the time in the moment of the search.'
I am sure I am getting this wrong, but then you will have 1 single dot with the count value at 12 PM, what kind of line do you need? can you explain more?

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 10:34:26 GMT

Sure @Sukisen1981 , i need a line chart like this one:

I uses the query "index=serverlist | dedup hostname | timechart span=30d count", in this case i need to find the total amount of sending servers and it works.

I need to do the same thing with the list of "non-sending" servers, so i have to a line that rapresent the number of missing server during a period, for example if i do a search from 9:00 to 10:00 i have 3 missing servers, from 12:00 to 13:00 5, and so on. I need a line that rapresent this trend.
I hope is clear now, sorry if i can't explain myself correctly and thanks for your time.

Regards.

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 11:45:40 GMT

possible to share your snap from imgur or something or just edit your question with the image? it is not visible here

Re: How to create a line chart without timestamp field?

snigdhasaxena — Wed, 30 Sep 2020 01:59:37 GMT

@mik990 using the search as told by solarboyz1 , | bin span=15m your_time_field
| chart count over your_time_field by hostname, in the vizualization tab you can pick line chart and you'll get it as per the _time

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 12:14:18 GMT

Sure, try with this link please https://imgur.com/sWIXvmG

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 12:18:55 GMT

hi @snigdhasaxena and @mik990
No just performing a chart by _time won't work, the _time will always be the same in this case , the value of the CSV update and that is @mik990 's issue.
I still donot understand what kind of a line chart is needed, if you apply a stats or a timechart here all you will get is one single point and yet mik needs a line chart, so I am not able to understand what is needed to be honest.

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 12:20:56 GMT

Hi @snigdhasaxena and thanks for your reply, but if I add to my search i get "No result found" , i can't understand if there is something wrong.

Thank you.

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 12:25:44 GMT

Hi @Sukisen1981 , if I do different searches in different period i receive different results, so basically i need the trend of these results, something like a refresh of the situation but in a line chart, an "history" of results.

Thanks

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 13:01:57 GMT

so do you have an earlier timestamp than 9:54:30 or the latest run in the Time column?
If no, then it is difficult to fathom from where you propose to pick up the 'history' runs.
Is this doable? Yes, but then we need to delve into the saved search jobs etc. It will be complex
But first, if you run your index query all time, do you just see the current(9:54:30) timestamp or the previous runs as well?

Re: How to create a line chart without timestamp field?

mik990 — Wed, 28 Aug 2019 13:31:12 GMT

Yes I have an earlier timestamp, consider that i'm working in a lab and i upload two list of hostname in two different days to test the search(as you can see in the attachement):

https://imgur.com/MSwSFuR

I run the search All time as an example, In production i will run the search about the last month or something like this.

Re: How to create a line chart without timestamp field?

Sukisen1981 — Wed, 28 Aug 2019 16:12:07 GMT

then you do have a _time filed , that is 9:54:30 and 11:48:35
both timechart and bin with stats will work here, what is the issue?