https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431922#M28472 <P>Hi @beetaj</P> <P>You can use the "LogTime" to plot a timechart.</P> <P><CODE>basesearch|eval _time=strptime(LogTime,"%d/%m/%Y %H:%M:%S")| timechart values(Field*) by Field*</CODE></P> Fri, 15 Mar 2019 09:47:39 GMT nickhills 2019-03-15T09:47:39Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431913#M28463 <P>Hi all,</P> <P>I have a set of log data like this below:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6669i31AA52B4BE44DA2A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How do I plot all available data for all these fields over LogTime?<BR /> Thanks.</P> Thu, 14 Mar 2019 08:51:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431913#M28463 beetaj 2019-03-14T08:51:38Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431914#M28464 <P>hi dyude @beetaj ,</P> <P>You can try this </P> <PRE><CODE>Your index | chart list(Fiield1) as Field1 list(Field2) as Field2 list(Field3) as Field3 list(Field4) as Field4 list(Field5) as Field5 by LogTime </CODE></PRE> Thu, 14 Mar 2019 11:27:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431914#M28464 vinod94 2019-03-14T11:27:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431915#M28465 <P>thanks @vinod94 ,</P> <P>It helped with the statistics/tabular view, but the visualisation doesn't plot anything, tried different graphs, apparently they plot by count, I want the exact data to be dotted on the graph. so that I can see the pattern.<BR /> How do I fix the graph?</P> Thu, 14 Mar 2019 14:39:13 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431915#M28465 beetaj 2019-03-14T14:39:13Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431916#M28466 <P>If you have a basesearch that gives you exactly the table you provided above you can simply do:<BR /> <CODE>basesearch | timechart values(Field*) by Field*</CODE></P> Thu, 14 Mar 2019 15:15:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431916#M28466 damann 2019-03-14T15:15:27Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431917#M28467 <P>Thanks @damann ,<BR /> timechart is not particularly helpful as it works based on the event time (index time), where the LogTime above is an indexed field extracted from my log data. Therefore I need a query/function combination that works based on LogTime </P> Thu, 14 Mar 2019 15:26:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431917#M28467 beetaj 2019-03-14T15:26:16Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431918#M28468 <P>hi dyude @beetaj ,</P> <P>Iam able to see the chart wrt your values.!</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6668i45153B2C7E74365C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>sorry for the typo mistake in the above query..</P> <PRE><CODE>Your index | chart list(Field1) as Field1..... * </CODE></PRE> Fri, 15 Mar 2019 06:05:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431918#M28468 vinod94 2019-03-15T06:05:12Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431919#M28469 <P>Thanks @vinod94 ,<BR /> I am really puzzled why I am not getting any graphs! The only difference to the above data is that I have too many more events. However I do it the scale on Y-Axis stays 0-100, but according to the attached values of f1 goes well beyond 100.</P> Fri, 15 Mar 2019 09:24:07 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431919#M28469 beetaj 2019-03-15T09:24:07Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431920#M28470 <P>@beetaj, </P> <P>Can u post a screenshot ? Mostly it shouldn't effect.</P> Fri, 15 Mar 2019 09:26:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431920#M28470 vinod94 2019-03-15T09:26:10Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431921#M28471 <P>try running this search .. ive kept some different values </P> <PRE><CODE>| makeresults | eval Field1="20.7,100,56,45,400" | makemv delim="," Field1 | mvexpand Field1 | appendcols [| makeresults | eval Field2="93,15,23.6,10.5,11" | makemv delim="," Field2 | mvexpand Field2] |appendcols [| makeresults | eval Field3="45.1,42.4,67.6,45,90" | makemv delim="," Field3 | mvexpand Field3] |appendcols [| makeresults | eval LogTime="10/03/2019 08:25:09,12/03/2019 08:25:09,13/03/2019 08:25:09,14/03/2019 08:25:09,15/03/2019 08:25:09" | makemv delim="," LogTime | mvexpand LogTime] |chart list(Field1) as Field1 list(Field2) as Field2 list(Field3) as Field3 by LogTime </CODE></PRE> Fri, 15 Mar 2019 09:28:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431921#M28471 vinod94 2019-03-15T09:28:47Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431922#M28472 <P>Hi @beetaj</P> <P>You can use the "LogTime" to plot a timechart.</P> <P><CODE>basesearch|eval _time=strptime(LogTime,"%d/%m/%Y %H:%M:%S")| timechart values(Field*) by Field*</CODE></P> Fri, 15 Mar 2019 09:47:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431922#M28472 nickhills 2019-03-15T09:47:39Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431923#M28473 <P>Thanks @vinod94 ,<BR /> I accept your response as Answer, and I am able to plot the expected graphs when I test it with some controlled dataset. But when I apply to my real data, I get no graph. Real data volume is high but it shouldn't matter as I filter it down to one second which I have only few events, still no graph is produced!<BR /> I had attached screenshots unfortunately not moderated yet!</P> Fri, 15 Mar 2019 19:28:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-select-all-existing-values-for-multiple-fields-over-time/m-p/431923#M28473 beetaj 2019-03-15T19:28:56Z