https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96576#M24949 <P>if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...<BR /> and at the end your probably want <CODE>|table A mybucket threshold</CODE></P> Sat, 20 Oct 2012 17:17:04 GMT yannK 2012-10-20T17:17:04Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96572#M24945 <P>Hello </P> <P>I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.</P> <PRE><CODE>index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour&lt;4,1,date_hour&lt;8,2,date_hour&lt;12,3,date_hour&lt;16,4,date_hour&lt;20,5,date_hour&gt;0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year | delta I as D | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold </CODE></PRE> <P>I made use of macro and now the search is </P> <PRE><CODE>index=xxxx search_name="xxxx" | `bucket_incident` | `threshold_incident`| </CODE></PRE> <P>It's just a shorter version of the first one. </P> <P><STRONG>Output:</STRONG></P> <P>A threshold</P> <P>Regards</P> <P>theou</P> Fri, 19 Oct 2012 17:43:18 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96572#M24945 theouhuios 2012-10-19T17:43:18Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96573#M24946 <P>I am not sure what you trying to do exactly, but you need to perserve _time to use timechart or to use chart use (chart count over time by x) in your stats command and eventstats.</P> Fri, 19 Oct 2012 20:37:45 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96573#M24946 bmacias84 2012-10-19T20:37:45Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96574#M24947 <P>I should have been a bit more clear. Will update the part now.</P> Fri, 19 Oct 2012 20:42:39 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96574#M24947 theouhuios 2012-10-19T20:42:39Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96575#M24948 <P>@bmacias84 I updated it now. Any idea on how to solve this.</P> Fri, 19 Oct 2012 20:48:45 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96575#M24948 theouhuios 2012-10-19T20:48:45Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96576#M24949 <P>if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...<BR /> and at the end your probably want <CODE>|table A mybucket threshold</CODE></P> Sat, 20 Oct 2012 17:17:04 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96576#M24949 yannK 2012-10-20T17:17:04Z https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96577#M24950 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/78571">@theouhuios</a>, Could you explain what your trying to accomplish with your case statment?<BR /> <CODE></CODE><PRE><CODE><BR /> eval mybucket=case(date_hour&lt;4,1,date_hour&lt;8,2,date_hour&lt;12,3,date_hour&lt;16,4,date_hour&lt;20,5,date_hour&gt;0,6)<BR /> </CODE></PRE></P> Mon, 28 Sep 2020 12:40:16 GMT https://community.splunk.com/t5/Splunk-Search/Not-able-to-create-a-24hour-chart-with-the-table/m-p/96577#M24950 bmacias84 2020-09-28T12:40:16Z