topic Re: Not able to apply the timechart on mentioned query in Splunk Search

Not able to apply the timechart on mentioned query

nikhilup05 — Wed, 27 Oct 2021 10:50:38 GMT

Re: Not able to apply the timechart on mentioned query

richgalloway — Wed, 27 Oct 2021 13:06:17 GMT

What is preventing you from applying a timechart? How have you tried to do so? What error do you get when you try?

Re: Not able to apply the timechart on mentioned query

nikhilup05 — Wed, 27 Oct 2021 13:53:12 GMT

I have passed timechart usenull=f span=1d count by Status after the above query. But I am getting the error as no data found.

Re: Not able to apply the timechart on mentioned query

richgalloway — Wed, 27 Oct 2021 17:28:06 GMT

This run-anywhere version of your query produces results.

| makeresults | eval msg="InputAmountToCredit\":\"23\", Request#: 11 with foo.bar CRERequestId\":\"fubar" | rex field=msg "InputAmountToCredit\"\:\"(?<PayloadAmount>[^\"]+)" | rex field=msg "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)" | rex field=msg "CRERequestId\"\:\"(?<ID2>[^\"]+)" | eval ID=coalesce(ID1,ID2) | stats latest(Status) as Status values(PayloadAmount) as Amount by ID | stats count(list()) by Status | eval _time=relative_time(now(),"-1d@d") | timechart usenull=f span=1d count by Status

The results are uninteresting, however, because every value has the same timestamp (00:00 yesterday).

Also, what are you trying to achieve with stats count(list())? The list() function is supposed to have an argument.

Perhaps you could explain the problem you are trying to solve so we can offer better solutions.

Re: Not able to show PayloadAmount value into the timechart

nikhilup05 — Thu, 28 Oct 2021 10:15:38 GMT

Please look this query and help to show the amount value on barchart

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| eval _raw = msg | rex "InputAmountToCredit\"\:\"(?<PayloadAmount>[^\"]+)"
| rex field=msg "InputAmountToCredit\"\:\"(?<PayloadAmount>[^\"]+)"
| rex field=msg "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)"
| rex field=msg "CRERequestId\"\:\"(?<ID2>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status values(PayloadAmount) as Amount by ID
| stats count(list(PayloadAmount)) by Status
| eval _time=relative_time(now(),"-1d@d")
| timechart usenull=f span=1d count by Status

Re: Not able to apply the timechart on mentioned query

nikhilup05 — Thu, 28 Oct 2021 10:17:24 GMT

I have to show Amount on barchart. I am not able to show it. pls help us

Re: Not able to apply the timechart on mentioned query

richgalloway — Fri, 29 Oct 2021 19:15:12 GMT

So you want Amount as one axis of the bar chart. What should the other axis be? Once we know that we can devise a query to produce the right information. As it is now, the query seems to be doing a lot more work than is necessary.

Re: Not able to apply the timechart on mentioned query

nikhilup05 — Fri, 29 Oct 2021 08:56:08 GMT

On y axis, I I am trying show the amount and in x axis status will be there on the date basis.

Help me out with the mentioned query

Re: Not able to apply the timechart on mentioned query

richgalloway — Fri, 29 Oct 2021 19:17:02 GMT

I'm still confused. The x-axis will have "status on the date basis". What does that mean?

Re: Not able to apply the timechart on mentioned query

nikhilup05 — Mon, 01 Nov 2021 09:35:55 GMT

In x axis, I want to show the status (which will be approved/reject/Manual) and on the bar I have to show the values of Amount for the particular status. See the attached the sample view.

Re: Not able to apply the timechart on mentioned query

richgalloway — Wed, 03 Nov 2021 13:04:39 GMT

Thanks for the clarifying charts.

Since each axis of a chart can use only one field, you will have to combine the date and Status fields into a single field before charting.

... | eval x_axis = date . " " . Status | chart max(Amount) as Amount over x_axis