https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595551#M207270 <P>Hi</P> <P>I need to do a timechart from a single panel result</P> <P>In this single panel, I stats events like this</P> <P>&nbsp;</P> <LI-CODE lang="markup">| stats count as PbPerf by s | search PbPerf&gt;10 | stats dc(s)</LI-CODE> <P>&nbsp;</P> <P>The results of this search is 14 events</P> <P>Now I need to timechart these 14 events</P> <P>So I am doing this</P> <P>&nbsp;</P> <LI-CODE lang="markup">| bin _time span=1d | stats count as PbPerf by s _time | search PbPerf&gt;10 | timechart count span=1h</LI-CODE> <P>&nbsp;</P> <P>&nbsp;The first problem I have is that I want to retrieve the 14 events before doing the timechart is that I have to use a span=1d</P> <P>But of course all the 14 events are grouped with the same _time even if I use a span=1h in the timechart</P> <P>So how to display a timechart that display a _time value for my 14 events?</P> <P>Thanks</P> Wed, 27 Apr 2022 16:01:58 GMT jip31 2022-04-27T16:01:58Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595551#M207270 <P>Hi</P> <P>I need to do a timechart from a single panel result</P> <P>In this single panel, I stats events like this</P> <P>&nbsp;</P> <LI-CODE lang="markup">| stats count as PbPerf by s | search PbPerf&gt;10 | stats dc(s)</LI-CODE> <P>&nbsp;</P> <P>The results of this search is 14 events</P> <P>Now I need to timechart these 14 events</P> <P>So I am doing this</P> <P>&nbsp;</P> <LI-CODE lang="markup">| bin _time span=1d | stats count as PbPerf by s _time | search PbPerf&gt;10 | timechart count span=1h</LI-CODE> <P>&nbsp;</P> <P>&nbsp;The first problem I have is that I want to retrieve the 14 events before doing the timechart is that I have to use a span=1d</P> <P>But of course all the 14 events are grouped with the same _time even if I use a span=1h in the timechart</P> <P>So how to display a timechart that display a _time value for my 14 events?</P> <P>Thanks</P> Wed, 27 Apr 2022 16:01:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595551#M207270 jip31 2022-04-27T16:01:58Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595555#M207272 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102660">@jip31</a>,</P><P>at first, why don't you directly use timechart in you search?</P><LI-CODE lang="markup">| timechart span=1d count as PbPerf by s | where PbPerf&gt;10</LI-CODE><P>but anyway, you cannot use before span=1d and then span=1h, because you have the same hour in each date for each day.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 27 Apr 2022 10:49:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595555#M207272 gcusello 2022-04-27T10:49:46Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595556#M207273 <P>Hi</P><P>Your idea is not bad but :</P><P>1) the where condition works only if I delete "by s"</P><P>2) if I timechart by s, I have only ten results for s</P> Wed, 27 Apr 2022 11:04:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595556#M207273 jip31 2022-04-27T11:04:14Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595557#M207274 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102660">@jip31</a>,</P><P>this isn't a problem od the search but of your data, maybe you should use a different threshold.</P><P>When you say 14 results are you speking of two weeks or what else?</P><P>Ciao.</P><P>Giuseppe</P> Wed, 27 Apr 2022 11:07:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595557#M207274 gcusello 2022-04-27T11:07:29Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595585#M207282 <P>it's 14 events</P> Wed, 27 Apr 2022 13:27:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595585#M207282 jip31 2022-04-27T13:27:32Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595592#M207285 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102660">@jip31</a>,</P><P>as I said, if using the BY clause probably you should better analyze your data to understand if the results you're waiting are correct.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 27 Apr 2022 14:03:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595592#M207285 gcusello 2022-04-27T14:03:37Z https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595604#M207290 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102660">@jip31</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 27 Apr 2022 14:44:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-a-timechart-from-a-single-panel-result/m-p/595604#M207290 gcusello 2022-04-27T14:44:49Z