https://community.splunk.com/t5/Splunk-Search/Flow-chart/m-p/650745#M225000 <P>The command you are looking for is&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart" target="_blank" rel="noopener">timechart</A>, the option to examine data in user-selected time interval is available in&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/Aboutthismanual" target="_blank" rel="noopener">dashboard</A>&nbsp;(whether classic aka Simple XML or Dashboard Studio).</P><P>Based on sample code you have shown, I suspect that the timechart should look something like</P><LI-CODE lang="markup">| timechart span=1d count by Name</LI-CODE><P>But you didn't explain the complex acrobat around TimeStamp, so it is hard to say how that is to be transformed into Splunk's native _time.</P><P>Your picture suggests that you had some exposure to Grafana. &nbsp;If that is the case, and you want to pick up Splunk, the best course is try to forget the ways of Grafana, which isolates data from visualization and, as a consequence, has no true sense of time. &nbsp;_time is an internal field that is central to Splunk data. &nbsp;In most cases, correct time should be determined at ingestion time so the user (programmer) needn't have to worry about.</P> Mon, 17 Jul 2023 07:07:16 GMT yuanliu 2023-07-17T07:07:16Z https://community.splunk.com/t5/Splunk-Search/Flow-chart/m-p/650719#M224989 <P>Hi,</P><P>I have a table of 3 columns: Event name, time(=when the event happened) and source (file name).</P><P>I need to create a flow chart (similar to the attached picture) when X-axis represents time and Y axis binary (event happen or not).<BR />I need a line for each event name and a different color for each line.<BR />I also need to filter by time range (like the chart in the picture, to have the option to look on different time intervals). Also, click on a specific point and get its raw data (to know from which file it was taken).</P><P>Can I do it in Splunk? How?<BR /><BR />I tried to create a timeline, but it doesn't look so good :&nbsp;<BR /><BR />| eval myTime=TimeStamp/10000000 - 11644473600 | eval WinTimeStamp2=strftime(myTime, "%Y-%m-%dT%H:%M:%S.%Q")<BR />| bin WinTimeStamp2 span=1d | stats count by WinTimeStamp2, Name<BR /><BR />example for timestamp=<SPAN>133265876804261336</SPAN><BR /><BR />Thanks,</P><P>Maayan</P> Sun, 16 Jul 2023 12:51:13 GMT https://community.splunk.com/t5/Splunk-Search/Flow-chart/m-p/650719#M224989 maayan 2023-07-16T12:51:13Z https://community.splunk.com/t5/Splunk-Search/Flow-chart/m-p/650745#M225000 <P>The command you are looking for is&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart" target="_blank" rel="noopener">timechart</A>, the option to examine data in user-selected time interval is available in&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/Aboutthismanual" target="_blank" rel="noopener">dashboard</A>&nbsp;(whether classic aka Simple XML or Dashboard Studio).</P><P>Based on sample code you have shown, I suspect that the timechart should look something like</P><LI-CODE lang="markup">| timechart span=1d count by Name</LI-CODE><P>But you didn't explain the complex acrobat around TimeStamp, so it is hard to say how that is to be transformed into Splunk's native _time.</P><P>Your picture suggests that you had some exposure to Grafana. &nbsp;If that is the case, and you want to pick up Splunk, the best course is try to forget the ways of Grafana, which isolates data from visualization and, as a consequence, has no true sense of time. &nbsp;_time is an internal field that is central to Splunk data. &nbsp;In most cases, correct time should be determined at ingestion time so the user (programmer) needn't have to worry about.</P> Mon, 17 Jul 2023 07:07:16 GMT https://community.splunk.com/t5/Splunk-Search/Flow-chart/m-p/650745#M225000 yuanliu 2023-07-17T07:07:16Z