topic Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart in Splunk Search

Adding a Time Range (Extending to the Future) and Use it in a Timechart

jameldebbiche — Thu, 20 Feb 2020 10:47:07 GMT

Hi everyone,

We have logs that contain field named "var" with num data type, the value of this field changes through time, so we have two more fields in the log, startDate (when the var acquired the value written in that log) and endDate (when the var value will expire). Both dates are written in the %Y%m%d format. And of course, some of the endDate values are in the future.

I want to create a timechart where the x-axis starts from the first startDate value of the var field and ends at the latest endDate which is in the future. So my question is, after many days of research, is it possible to create a time range that is to be used in the timechart? Something like:

|eval customTimeRange = [earliest(startDate) .. latest(endDate)]
|chart values(var) over customTimeRange by source

Or something similar? Maybe it is worth mentioning, that I want it as a line chart, where the line is continuous and the last value will extend on the chart till the endDate value.

Any help would be appreciated! Thanks in advance.

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

mydog8it — Fri, 21 Feb 2020 05:07:59 GMT

So every event has the startDate and EndDate and the var(value)? If that is correct and the x axis is the time line of start to end date, what time would you use in the event to place the var(value) on the timeline?

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

jameldebbiche — Fri, 21 Feb 2020 08:09:37 GMT

Good question, sorry I failed to clarify that, I will use another field called (objTimestamp) or even the _time field, since they are very close to each other. Thanks.

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

to4kawa — Fri, 21 Feb 2020 08:15:54 GMT

Use it in a Timechart
what's y-axis?

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

jameldebbiche — Fri, 21 Feb 2020 08:24:59 GMT

Y axis will be the var value. But timechart will only use _time on the x axis and not the custom range of the earliest startDate and the latest endDate, so that is not I am not using timechart.

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

to4kawa — Fri, 21 Feb 2020 08:27:36 GMT

If earliest startDate and the latest endDateis epoch, timechart can be.

Re: Adding a Time Range (Extending to the Future) and Use it in a Timechart

to4kawa — Fri, 21 Feb 2020 08:36:32 GMT

your search
| eval time=mvappend(startDate,endDate)
| streamstats count as session
| mvexpand time
| eval time=strptime(time, "%Y%m%d")
| table time var
| rename time as _time