topic Re: Plot Values by Time in Splunk Search

Plot Values by Time

lavster — Wed, 03 Jul 2019 17:44:33 GMT

Hello, im having trouble getting timechart by value to give me any results. I have a data set that has a value for each day, so far 30 days worth of data, each "Elapsed Time" is anywhere from 33 - 40 seconds, showing 00:33:56 etc etc however when i timechart this i dont get any errors but i also dont get any results. i dont want an average or count but the exact value, is this possible?

i've tried |timechart value(elapsed) , | timechart dc(elapsed) | timechart values(elapsed) span=1d | chart values(elapsed) by _time.

any help would be appreciated

Re: Plot Values by Time

marycordova — Wed, 03 Jul 2019 19:13:18 GMT

can you post your full query and a sample data set

Re: Plot Values by Time

rbechtold — Wed, 03 Jul 2019 23:27:06 GMT

Hey Lavster,

I've recreated what I think your dataset might look like in Splunk with the search below. Let me know if it isn't correct:
(you can copy paste this directly into Splunk)

| gentimes start=6/1/19 end=6/30/19 increment=1d 
| eval seconds = random()%7 + 3 
| eval milliseconds = random()%60 
| eval milliseconds = if(len(milliseconds) = 1, "0".milliseconds, milliseconds) 
| eval elapsed = "00:3".seconds.":".milliseconds
| eval _time = starttime
| table _time elapsed

Assuming that it looks correct, you can use this search to convert the time into seconds, which will allow you to plot the values in a chart:

...BASE SEARCH...
| table _time elapsed
| rex field=elapsed "(?<minutes>\d{2})\:(?<seconds>\d{2})\:(?<milliseconds>\d+)"
| eval minutes = minutes * 60, milliseconds = milliseconds / 100
| eval elapsed = minutes + seconds + milliseconds
| chart values(elapsed) OVER _time

Let me know if you run into any trouble!

Re: Plot Values by Time

woodcock — Thu, 04 Jul 2019 00:27:35 GMT

When using timechart, the field used as the argument to the aggregation function (e.g. avg()) must contain only numbers. In your case, it does not, so change that like this:

... | eval | convert dur2sec(elapsed) AS elapsed_seconds | timechart avg(elapsed_seconds) span=1d

Re: Plot Values by Time

lavster — Thu, 04 Jul 2019 06:13:07 GMT

Thanks for this, worked a charm