https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75396#M19056 <P>thanks for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 01 Oct 2013 06:25:43 GMT ChhayaV 2013-10-01T06:25:43Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75390#M19050 <P>hi,</P> <P>this is my search </P> <P>index=tm_idx host="server" | rex field=msg "(?i)TM1\sserver\sload\stime\s(secs)\s=\s(?P<TIMETAKENTOSTART>\w+)" |where timetakentostart!="" |sort _time | stats list(timetakentostart) by date_month</TIMETAKENTOSTART></P> <P>which is giving me following output</P> <P>date_month list(timetakentostart)</P> <P>april 23 23 15 15 73 73 25 25</P> <P>february 24 13</P> <P>january 9 12 12</P> <P>july 34 52353 24</P> <P>june 23</P> <P>march 18 10 13</P> <P>may 25 15 16 16 74</P> <P>september 21 17</P> <P>But i want is as <BR /> date_month list(timetakentostart)</P> <P>april 23:1 23:2 15:1 15:2 73:1 73:2 25:1 25:2</P> <P>february 24:1 13:1</P> <P>january 9:1 12:1 12:2</P> <P>How can i do it? <BR /> any suggestion will a great help</P> <P>Thanks </P> Mon, 28 Sep 2020 14:51:25 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75390#M19050 ChhayaV 2020-09-28T14:51:25Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75391#M19051 <P>Sounds like you need ... | stats count by date_month,timetakentostart</P> <P>Though in general it a terrible practice to use date_month. Better to use timechart span=1mon count by timetakentostart</P> Fri, 27 Sep 2013 14:14:37 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75391#M19051 gkanapathy 2013-09-27T14:14:37Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75392#M19052 <P>hi thanks for the reply <BR /> actually i want to label entries like for first occurence 16:1 for second occurence in the same month as 16:2 so that i can show them as different stack in a stacked chart..otherwise splunk group same values</P> Sat, 28 Sep 2013 14:31:28 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75392#M19052 ChhayaV 2013-09-28T14:31:28Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75393#M19053 <P>So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.</P> <PRE><CODE>index=tm_idx host="server" | rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P&lt;timetakentostart&gt;w+)" |where timetakentostart!="" | bucket _time span=1m | streamstats count by timetakentostart _time | eval newfield=timetakentostart + ":" + count | stats list(newfield) by _time </CODE></PRE> <P>That will get you the kind of listing you want. </P> <P>Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be. </P> Mon, 30 Sep 2013 00:37:41 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75393#M19053 emiller42 2013-09-30T00:37:41Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75394#M19054 <P>this is one business requirement</P> Mon, 30 Sep 2013 08:39:58 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75394#M19054 ChhayaV 2013-09-30T08:39:58Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75395#M19055 <P>Ahh, totally get that. Glad I could help and good luck!</P> Mon, 30 Sep 2013 17:00:04 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75395#M19055 emiller42 2013-09-30T17:00:04Z https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75396#M19056 <P>thanks for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 01 Oct 2013 06:25:43 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-timechart-display/m-p/75396#M19056 ChhayaV 2013-10-01T06:25:43Z