https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387830#M113124 <P>In your table there is also values like that?</P> Mon, 15 Jul 2019 07:04:05 GMT FrankVl 2019-07-15T07:04:05Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387825#M113119 <P>I am getting my input in json format like below,</P> <PRE><CODE>{"message":{"SID":"DEV","TIMESTAMP":1563095600,"PARAMS":[{"PROC_CODE":"10110","PROC_VALUE":" 2","SYS_NAME":"ALL"},{"PROC_CODE":"10010","PROC_VALUE":"20190712","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10020","PROC_VALUE":"125853","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10030","PROC_VALUE":"9","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10040","PROC_VALUE":"1","SYS_NAME":"sapbcsdev_DEV_00"} </CODE></PRE> <P>I am printing this value in table by using below query.</P> <PRE><CODE>index="test_data" sourcetype="SAP:data" | rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP | eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";") | eval mvf2 = mvzip(mvf1, SYS_NAME, ";") | mvexpand mvf2 | eval n=split(mvf2,";") | eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2) | lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | search SYS_NAME="*" PROC_TYPE=* PROC_PARA=* | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE </CODE></PRE> <P>Below is the output of this query.</P> <PRE><CODE>TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE 2019-07-14 08:48:20 DEV ALL KPI ALL 10110 Number of App Servers 2 2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 INFO INSTANCE 10010 INSTANCE START DATE 20190712 2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 INFO INSTANCE 10020 INSTANCE START TIME 125853 2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 KPI INSTANCE 10030 Workprocess Dia Active Count 9 2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 KPI INSTANCE 10040 Workprocess Upd Active Count 1 </CODE></PRE> <P>Now when I am trying to publish some trent using timechart like avg/ min/ max on PROC_VALUE, i am not getting proper output. I assume that still PROC_VALUE is behaving like multi value field.</P> Wed, 30 Sep 2020 01:18:34 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387825#M113119 twh1 2020-09-30T01:18:34Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387826#M113120 <P>Can you perhaps share the actual query incl. the timechart attempt and explain the output you get and how that is not what you want?</P> <P>To make the <CODE>timechart</CODE> command work, you need to have an <CODE>_time</CODE> field, containing an epoch timestamp.</P> Sun, 14 Jul 2019 10:11:13 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387826#M113120 FrankVl 2019-07-14T10:11:13Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387827#M113121 <P>Hi @FrankVl <BR /> I am using below query for timechart.</P> <PRE><CODE>index="test_data" sourcetype="SAP:data" | rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP | eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";") | eval mvf2 = mvzip(mvf1, SYS_NAME, ";") | mvexpand mvf2 | eval n=split(mvf2,";") | eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2) | lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | search SYS_NAME="*" PROC_TYPE=* PROC_PARA=* PROC_CODE=10130 | timechart span=5m avg(PROC_VALUE) as "Average Value" </CODE></PRE> <P>I need avg/max/min of PROC_VALUE over the time.</P> Sun, 14 Jul 2019 10:18:44 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387827#M113121 twh1 2019-07-14T10:18:44Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387828#M113122 <P>Hi,</P> <PRE><CODE> index="test_data" sourcetype="SAP:data" | rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP | eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";") | eval mvf2 = mvzip(mvf1, SYS_NAME, ";") | mvexpand mvf2 | eval n=split(mvf2,";") | eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2) | eval _time=strptime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | timechart span=5m min(PROC_VALUE) avg(PROC_VALUE) max(PROC_VALUE) </CODE></PRE> <P>should do the job</P> Sun, 14 Jul 2019 11:01:59 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387828#M113122 schose 2019-07-14T11:01:59Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387829#M113123 <P>Hi @schose <BR /> I have already tried above query but it's showing me wrong output.<BR /> with table command I am getting value in PROC_VALUE like 2,1, 0, 2 but avg is coming like 20190712, which is wrong output.</P> Sun, 14 Jul 2019 11:56:07 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387829#M113123 twh1 2019-07-14T11:56:07Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387830#M113124 <P>In your table there is also values like that?</P> Mon, 15 Jul 2019 07:04:05 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387830#M113124 FrankVl 2019-07-15T07:04:05Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387831#M113125 <P>hi @FrankVl <BR /> In table i am getting proper result.</P> Mon, 15 Jul 2019 09:03:30 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387831#M113125 twh1 2019-07-15T09:03:30Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387832#M113126 <P>In the table you posted in your question I also see those high values in the PROC_VALUE column.</P> Mon, 15 Jul 2019 10:45:56 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387832#M113126 FrankVl 2019-07-15T10:45:56Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387833#M113127 <P>Hi @FrankVl <BR /> I want to create chart only for specific PROC_CODE.</P> Mon, 15 Jul 2019 14:28:02 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387833#M113127 twh1 2019-07-15T14:28:02Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387834#M113128 <P>Can you then please share the output of the relevant table command, incl. the filter. Because now it is rather confusing.</P> Mon, 15 Jul 2019 14:51:32 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387834#M113128 FrankVl 2019-07-15T14:51:32Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387835#M113129 <P>You have to put this in there somewhere:</P> <PRE><CODE>... | search NOT "PROC_NAME"="Instance Start*" | ... </CODE></PRE> Mon, 15 Jul 2019 15:24:23 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387835#M113129 woodcock 2019-07-15T15:24:23Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387836#M113130 <P>Hi @FrankVl <BR /> Below is the output in table format. I want timechart based on PROC_VALUE field. (like avg/ min/ max)</P> <PRE><CODE>TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE 2019-07-14 15:13:20 DEV ALL KPI INSTANCE 10130 User Count 4 2019-07-14 15:13:20 DEV ALL KPI INSTANCE 10130 User Count 2 2019-07-14 15:08:20 DEV ALL KPI INSTANCE 10130 User Count 4 2019-07-14 15:08:20 DEV ALL KPI INSTANCE 10130 User Count 2 2019-07-14 15:03:20 DEV ALL KPI INSTANCE 10130 User Count 4 2019-07-14 15:03:20 DEV ALL KPI INSTANCE 10130 User Count 2 2019-07-14 14:58:20 DEV ALL KPI INSTANCE 10130 User Count 4 </CODE></PRE> Tue, 16 Jul 2019 03:32:04 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387836#M113130 twh1 2019-07-16T03:32:04Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387837#M113131 <P>Just add this to the bottom of your existing search:</P> <PRE><CODE>... | eval PROC_NAME = "PROC_NAME_" . PROC_NAME | eval {PROC_NAME} = PROC_VALUE | eval _time = strptime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | timechart min(PROC_NAME_*) AS min_* max(PROC_NAME_*) AS max_* avg(PROC_NAME_*) AS avg_* </CODE></PRE> <P>Here is a run-anywhere PoC:</P> <PRE><CODE>| makeresults | eval raw="TIMESTAMP=2019-07-14T08:48:20,SID=DEV,SYS_NAME=ALL,PROC_TYPE=KPI,PROC_PARA=ALL,PROC_CODE=10110,PROC_NAME=Number_of_App_Servers,PROC_VALUE=2 TIMESTAMP=2019-07-14T08:48:20,SID=DEV,SYS_NAME=sapbcsdev_DEV_00,PROC_TYPE=INFO,PROC_PARA=INSTANCE,PROC_CODE=10010,PROC_NAME=INSTANCE_START_DATE,PROC_VALUE=20190712 TIMESTAMP=2019-07-14T08:48:20,SID=DEV,SYS_NAME=sapbcsdev_DEV_00,PROC_TYPE=INFO,PROC_PARA=INSTANCE,PROC_CODE=10020,PROC_NAME=INSTANCE_START_TIME,PROC_VALUE=125853 TIMESTAMP=2019-07-14T08:48:20,SID=DEV,SYS_NAME=sapbcsdev_DEV_00,PROC_TYPE=KPI,PROC_PARA=INSTANCE,PROC_CODE=10030,PROC_NAME=Workprocess_Dia_Active_Count,PROC_VALUE=9 TIMESTAMP=2019-07-14T08:48:20,SID=DEV,SYS_NAME=sapbcsdev_DEV_00,PROC_TYPE=KPI,PROC_PARA=INSTANCE,PROC_CODE=10040,PROC_NAME=Workprocess_Upd_Active_Count,PROC_VALUE=1" | makemv raw | mvexpand raw | rename raw AS _raw | kv | rex field=TIMESTAMP mode=sed "s/T/ /" | eval PROC_NAME = "PROC_NAME_" . PROC_NAME | eval {PROC_NAME} = PROC_VALUE | eval _time = strptime(TIMESTAMP, "%Y-%m-%d %H:%M:%S") | timechart min(PROC_NAME_*) AS min_* max(PROC_NAME_*) AS max_* avg(PROC_NAME_*) AS avg_* </CODE></PRE> Sat, 27 Jul 2019 23:09:28 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-generate-timechart-from-a-multivalue-field/m-p/387837#M113131 woodcock 2019-07-27T23:09:28Z