https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44697#M10556 <P>Hi,</P> <P>Thank you very much, you perfectly answered to my question!</P> <P>Guilhem</P> Wed, 27 Feb 2013 12:52:26 GMT guilmxm 2013-02-27T12:52:26Z https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44695#M10554 <P>Hi to everyone, </P> <P>I am designing an application where my users will potentially need to be able to generate a chart with multiple data series. (depending on their own selection and various options available)</P> <P>I searched in different posts and i followed this doc with success:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Chartmultipledataseries">http://docs.splunk.com/Documentation/Splunk/latest/Search/Chartmultipledataseries</A></P> <P>This works good, but still i have a small issue with the chart being created in the dashboard, the time period is technically correct but not being shown as would generates the timechart command. (each date section is being shown so too much data with more than a few hours)</P> <P><STRONG>A correct chart generated with timechart:</STRONG><BR /> <IMG src="http://splunk-base.splunk.com//storage/S%C3%A9lection_001.png" alt="alt text" /></P> <P><STRONG>A chart generating with the stat command with multiple series:</STRONG><BR /> <IMG src="http://splunk-base.splunk.com//storage/S%C3%A9lection_002.png" alt="alt text" /></P> <P>My command is the following:</P> <PRE><CODE>index="rls_index" sourcetype="rls_source" $hostname$ $monitor$ $monitor_label$ bucket _time span=1h | stats max(value) As ValMax, min(value) As ValMin by _time,monitor_label | eval s1="max min" | makemv s1 | mvexpand s1 | eval yval=case(s1=="max",ValMax,s1=="min",ValMin) | eval series=monitor_label+":"+s1 | convert ctime(_time) as time | xyseries time,series,yval </CODE></PRE> <P>I needed to add the section "convert ctime(_time) as time" to get a shorter and more readable time format.</P> <P>Does anyone knows how to generate a chart with the time period being correctly shown like with timechart ?</P> <P>I had to use the bucket command to limit the amount of data generated, i also would like to put a timerange condition like the timechart command automatically does ? (something like if more than 1 day then bucket 1 hour and so on)</P> <P>Thank you in advance for any help you could provide.</P> <P>Long live to Splunk ^^</P> Wed, 27 Feb 2013 01:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44695#M10554 guilmxm 2013-02-27T01:05:55Z https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44696#M10555 <P>Use _time in xyseries and add <CODE>... | makecontinuous _time</CODE> to the end. You don't need to convert _time beforehand.</P> <P>The charting stuff makes the x-axis labels 'pretty' if it contains regularly intervaled epoch values</P> Wed, 27 Feb 2013 06:52:06 GMT https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44696#M10555 jonuwz 2013-02-27T06:52:06Z https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44697#M10556 <P>Hi,</P> <P>Thank you very much, you perfectly answered to my question!</P> <P>Guilhem</P> Wed, 27 Feb 2013 12:52:26 GMT https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44697#M10556 guilmxm 2013-02-27T12:52:26Z https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44698#M10557 <P>Thanks Guilhem. Accepting the answer is the usual way to award rep (you dont have to spend your own)</P> Wed, 27 Feb 2013 14:45:55 GMT https://community.splunk.com/t5/Splunk-Search/Build-a-chart-of-multiple-data-series/m-p/44698#M10557 jonuwz 2013-02-27T14:45:55Z