https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224932#M44995 <P>I do not understand (your language is hard to follow). You should probably create a new question and start over and try to spell out ALL of the details.</P> Wed, 16 Sep 2015 12:13:37 GMT woodcock 2015-09-16T12:13:37Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224923#M44986 <P>Hallo,<BR /> I will make a chart with two lines. I have a query : select a,b,eventtime from t. Eventtime is the datum and time in a char field :"2015-09-11 03:00", for all 15 Minutes there is one record. I will show the values 'a' and 'b' for the last 7 days (i.ex). How can I make it ?<BR /> thank you</P> Tue, 15 Sep 2015 14:05:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224923#M44986 hunyady 2015-09-15T14:05:05Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224924#M44987 <P>Maybe like this (set <CODE>timepicker</CODE> for <CODE>Last 7 days</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>... | timechart span=15m avg(a) AS a avg(b) AS b </CODE></PRE> Tue, 15 Sep 2015 15:36:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224924#M44987 woodcock 2015-09-15T15:36:46Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224925#M44988 <P>yes, now I have more lines with timestamp of 15 min, but both 'a' and 'b' are empty. Have tried 'avg', 'max'. Result is the same. Empty result by values.</P> Tue, 15 Sep 2015 15:51:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224925#M44988 hunyady 2015-09-15T15:51:54Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224926#M44989 <P>Show us one of your raw events.</P> Tue, 15 Sep 2015 16:02:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224926#M44989 woodcock 2015-09-15T16:02:52Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224927#M44990 <P>15.09.15 08:30:00,000<BR /><BR /> "2015-09-15 08:30:00" A=3399, B=5025, EVENTTIME="2015-09-15 08:30:00"</P> <PRE><CODE>EVENTTIME = 2015-09-15 08:30:00 A = 3399 B = 5025 host = myhost source = My_Logs sourcetype = mylogs </CODE></PRE> <P>I have 940 rows ...</P> Wed, 16 Sep 2015 06:38:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224927#M44990 hunyady 2015-09-16T06:38:48Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224928#M44991 <P>Would something like this work for you:</P> <PRE><CODE>basesearch|earliest=-7d| timechart values(A) as A, values(B) as B </CODE></PRE> <P>The only thing to note is that it will not like it if you have multivalues.<BR /> If this still does not provide anything, do a quick</P> <P>stats values(a) as, values(b) as b by _time</P> <P>just to see whats going on which might help you out. Could it be that it does not realize that EVENTTIME is the timestamp?<BR /> if you do not want to worry about configuring that could you just do something like this as a work around:</P> <PRE><CODE>basesearch|| stats values(A) as A, values(B) as B by EVENTTIME </CODE></PRE> Wed, 16 Sep 2015 08:00:40 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224928#M44991 Amohlmann 2015-09-16T08:00:40Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224929#M44992 <P>I see the problem; field names are <EM>case-sensitive</EM>! This will work:</P> <PRE><CODE>... | timechart span=15m avg(A) AS A avg(B) AS B </CODE></PRE> Wed, 16 Sep 2015 08:59:17 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224929#M44992 woodcock 2015-09-16T08:59:17Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224930#M44993 <P>Thank you very much !!!<BR /> It was the problem ...</P> Wed, 16 Sep 2015 09:34:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224930#M44993 hunyady 2015-09-16T09:34:52Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224931#M44994 <P>Hi, new problem.<BR /> Have records from 11-Sept until now. In our Oracle-Database I have all records, 4 records pro hour: eventtime for all 15 Min.<BR /> In Splunk missing for ALL DAY the events between 12:00 - 12:45, We have events until 11:45 and after 13:00.<BR /> Can you have an idee, why ?<BR /> Field "Eventtime" is always generated with sql: to_char(eventtime,"yyyy-mm-dd hh24:mi:ss")<BR /> Have only tried the index new to generate (deleted, new created). All records new loaded. Missing 12:00-12:45.<BR /> Thank you</P> Wed, 16 Sep 2015 11:36:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224931#M44994 hunyady 2015-09-16T11:36:03Z https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224932#M44995 <P>I do not understand (your language is hard to follow). You should probably create a new question and start over and try to spell out ALL of the details.</P> Wed, 16 Sep 2015 12:13:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/chart-with-two-lines/m-p/224932#M44995 woodcock 2015-09-16T12:13:37Z