topic Re: Timechart command in lookup or CSV File in Splunk Search

Timechart command in lookup or CSV File

ashish9433 — Tue, 29 Sep 2020 18:32:43 GMT

Hi Team,

I have a scheduled search which generates a lookup file similar to below

Whenever i run stats command on this data it runs perfectly fine. But whenever i try to run timechart command it doesnt work, like below

search ...| timechart count by image_name
search ... | timechart count(image_name)

or any permutation i try with i get either zero or null but not the actuall count or aggregate function. Basically i am looking to use span/bin on this data but i am unable to do that so thought of using timechart command.

I have properly formatted the time to _time by converting into epoch time and then into %c standard format.

I am not sure why timechart is not working on the lookup/csv file data.

Re: Timechart command in lookup or CSV File

p_gurav — Tue, 20 Mar 2018 08:13:50 GMT

Can you provide query you are using for converting?

Re: Timechart command in lookup or CSV File

tiagofbmm — Tue, 20 Mar 2018 08:21:26 GMT

Hey

Please try this option:

| inputlookup csv_timechart.csv
| eval _time=strptime(_time,"%m/%d/%Y")
| timechart count by image_name

Re: Timechart command in lookup or CSV File

gcusello — Tue, 20 Mar 2018 08:22:34 GMT

Hi ashish9433,
what's your need?
do you want to count values or only display them?

if you want to count events or sum values you could use chart command

my_search
| chart count over _time BY image_name

If instead you want only to display values, you could use table command

my_search
| table _time image_name os_name

Bye.
Giuseppe

Re: Timechart command in lookup or CSV File

kamlesh_vaghela — Tue, 20 Mar 2018 08:26:24 GMT

Hi @ashish9433 ,
Can you please try this?

YOUR_SEARCH | eval _time=strptime(_time,"%m/%d/%Y")| timechart count by image_name

Thanks

Re: Timechart command in lookup or CSV File

ashish9433 — Tue, 20 Mar 2018 12:48:56 GMT

I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!

Re: Timechart command in lookup or CSV File

ashish9433 — Tue, 20 Mar 2018 12:50:46 GMT

I want to group by span=15d and have a visualization and also use a single value with trend indicator option.
I tried span, bin and timechart none of them is working on lookup data.

Re: Timechart command in lookup or CSV File

ashish9433 — Tue, 20 Mar 2018 12:51:11 GMT

I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!

Re: Timechart command in lookup or CSV File

tiagofbmm — Tue, 20 Mar 2018 13:06:10 GMT

I just copied your entire lookup in the image and tried this myself by creating a .csv.

I don't have zeros in all rows and so it seems that your csv is not well formatted. Can you try what I just did?

Create a csv in a plaintext file:

_time,image_name,os_name
10/01/2018, azure1, CentOS7
10/02/2018, azure1, CentOS7
15/02/2018, azure1, CentOS7
20/02/2018, azure3, CentOS7
10/03/2018, azure3, CentOS7
11/03/2018, azure2, CentOS7
12/03/2018, azure2, CentOS7

Save it like this and to csv_timechart.csv, put it in the lookup folder of the app you are using, and run the command I told you.

Feed us back please