topic Re: timechart not giving expected result in Dashboards & Visualizations

timechart not giving expected result

pench2k19 — Tue, 29 Sep 2020 23:22:35 GMT

hey guys,

i m planning to draw a trend using timechart command , for some reason the timechart command showing no results but when i used stats or chart command its functioning correct.

following is the query i m using, can any one help me to get the correct query

| inputlookup SLA.csv | rex field=SOR_TDQ_FAIL_SLA_THRESHOLD "(?P.)\,(?.)" | eval sla_time = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time)) | eval sla_time=replace (sla_time,","," ") | eval sla_time=sla_time + ":00" | table SOR_NAME FEED_NAME sla_time | dedup SOR_NAME FEED_NAME | join type=outer SOR_NAME FEED_NAME [search index=xxx source=xxx earliest_time=@d |rex "info\s:\s+{4}\sSTARTED\s+{4}\sJob run_ingest_(?\w+)(?\d+-\d+-\d+-\d+-\d+-\d+)"|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$" | eval FILE_ARRIVALTIME = strftime(strptime(start_time,"%Y-%m-%d-%H-%M-%S") ,"%Y-%m-%d %H:%M:%S") | eval FILE_ARRIVALTIME_epoch=strptime(FILE_ARRIVALTIME,"%Y-%m-%d %H:%M:%S") |fields SOR_NAME FEED_NAME FILE_ARRIVALTIME FILE_ARRIVALTIME_epoch] | eval now_time=strftime(now(), "%Y-%m-%d %H:%M:%S") | eval now_time_epoch = strptime(now_time,"%Y-%m-%d %H:%M:%S") | eval sla_time_epoch = strptime(sla_time,"%Y-%m-%d %H:%M:%S") | eval time_diff_epoch =sla_time_epoch-FILE_ARRIVALTIME_epoch | fillnull value="0" FILE_ARRIVALTIME_epoch| where FILE_ARRIVALTIME_epoch!=0 |table SOR_NAME FEED_NAME sla_time_epoch FILE_ARRIVALTIME_epoch time_diff_epoch | eval sla_status=case(time_diff_epoch >= 0 , "Completed", time_diff_epoch <= 0 , "Missed SLA",1 = 1, "RISK") |timechart count(FEED_NAME) by sla_status

Re: timechart not giving expected result

pench2k19 — Tue, 19 Feb 2019 12:50:55 GMT

@vnravikumar @jkat54

Re: timechart not giving expected result

vnravikumar — Tue, 19 Feb 2019 13:36:25 GMT

Hi @pench2k19

Try by adding _time in table

your query..... |table SOR_NAME FEED_NAME sla_time_epoch FILE_ARRIVALTIME_epoch time_diff_epoch _time| eval sla_status=case(time_diff_epoch >= 0 , "Completed", time_diff_epoch <= 0 , "Missed SLA",1 = 1, "RISK") |timechart count(FEED_NAME) by sla_status

Re: timechart not giving expected result

pench2k19 — Tue, 19 Feb 2019 14:03:48 GMT

no luck @vnravikumar ...i have laready tried that way...

Re: timechart not giving expected result

vnravikumar — Tue, 19 Feb 2019 14:19:01 GMT

Can you please add in these places too and try

| table SOR_NAME FEED_NAME sla_time

|fields SOR_NAME FEED_NAME FILE_ARRIVALTIME FILE_ARRIVALTIME_epoch

Re: timechart not giving expected result

jkat54 — Tue, 19 Feb 2019 15:02:55 GMT

You need to be sure the _time field exists prior to the timechart command and is in epoch format.

I do not see a _time field in your fields and table commands.

Re: timechart not giving expected result

pench2k19 — Tue, 19 Feb 2019 15:10:46 GMT

No results

Re: timechart not giving expected result

pench2k19 — Wed, 20 Feb 2019 08:00:45 GMT

i have added _time at table and fields command in my query @jkat54 ...but no result

Re: timechart not giving expected result

jkat54 — Wed, 20 Feb 2019 13:39:55 GMT

You need a _time field that is a time in epoch. You don’t have one because your lookup doesn’t have one.

So you have to create one:

| eval _time=strptime(start_time,...