https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397701#M26024 <P>Thank you super very much.</P> Wed, 20 Jun 2018 14:30:47 GMT zacksoft 2018-06-20T14:30:47Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397699#M26022 <P>sample event</P> <H1>10.138.258.78 522x533587x10 JOHNNY [20/Jun/2018:08:42:23 -0400] "GET /rest/redbopper/1.0/xboard/work/allData.json?rapidViewId=9124&amp;selectedProjectKey=BMRIEMARED&amp;etag=9128%2C1529498111000%2C%5B%5D%2C%5B%5D%2C560&amp;_=1529498542404 HTTP/1.1" 200 181 <STRONG>748</STRONG> "<A href="https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024">https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024</A>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" "ihb3tl"</H1> <P>The number in bold indicates the response time and JOHNNY is the user. I wanted to get a chart drawn of the response time of all the transactions of the user. Here is my query. But I am not able to use the chart command properly.</P> <PRE><CODE>sourcetype="Zaccess" host=A OR host=B NOT host=C AND JOHNNY | eval headers=split(_raw," ") | eval username=mvindex(headers,2) | eval method=mvindex(headers,5) | eval Request=mvindex(headers,6) | eval Status=mvindex(headers,8) | eval req_time=mvindex(headers,10) | eval uri=mvindex(headers,11) | eval Method=replace(method,"\"","") | eval uri=replace(uri,"\"","") | eval Run_Time = req_time*0.001 | rex field=_raw "\"(?[^\s]+)\"$" | eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S") </CODE></PRE> <P>Also, is it possible to input the username as a parameter as a dashboard input instead of hardcoding it in the query?</P> Wed, 20 Jun 2018 12:58:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397699#M26022 zacksoft 2018-06-20T12:58:36Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397700#M26023 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65483">@zacksoft</a>,</P> <P>Does this work for you ? </P> <PRE><CODE>|stats count|eval _raw="10.138.258.78 522x533587x10 JOHNNY [20/Jun/2018:08:42:23 -0400] \"GET /rest/redbopper/1.0/xboard/work/allData.json?rapidViewId=9124&amp;selectedProjectKey=BMRIEMAREDηg=9128%2C1529498111000%2C%5B%5D%2C%5B%5D%2C560&amp;_=1529498542404 HTTP/1.1\" 200 181 748 \"https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36\" \"ihb3tl\"" |rex "^(?:[^ \n]* ){2}(?P&lt;user&gt;\w+)"|rex "^(?:[^ \n]* ){10}(?P&lt;resp_time&gt;\d+)"|rex "^[^ \n]* (?P&lt;txn_id&gt;[^ ]+)" |fields user,resp_time,txn_id|stats max(resp_time) by txn_id </CODE></PRE> <P>Only last 2 lines are processing data.</P> <P>Yes you could use parameter for user name in dashboard using <CODE>tokens</CODE>. Refer to <A href="https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Viz/tokens#Define_tokens_for_form_inputs" target="_blank">Define_tokens_for_form_inputs</A></P> Tue, 29 Sep 2020 20:06:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397700#M26023 renjith_nair 2020-09-29T20:06:19Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397701#M26024 <P>Thank you super very much.</P> Wed, 20 Jun 2018 14:30:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-chart-command-not-working-properly/m-p/397701#M26024 zacksoft 2018-06-20T14:30:47Z