https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156898#M44149 <P>Lisa, </P> <P>I have same issue, from pivot I am not able to plot the timechart graph, though by _time I am able to get require graph. </P> <P><STRONG>Not Working</STRONG><BR /> | pivot DataModel_AccessService perf count(TPS) AS "tps" sum(execTime) AS<BR /> "execTime" SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname|<BR /> timechart sum(execTime)<BR /> <STRONG>Working</STRONG><BR /> | pivot DataModel_AccessService perf count(TPS) AS "tps" sum(execTime) AS<BR /> "execTime" SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname|<BR /> chart sum(execTime) by _time</P> <P>Thanks,<BR /> Sumit </P> Mon, 28 Sep 2020 18:27:56 GMT sumitnagal 2020-09-28T18:27:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156891#M44142 <P>According to the documentation here, <A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Designdatamodelobjects">http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Designdatamodelobjects</A>, </P> <P>"You should create root search objects for any searches that do not map directly to Splunk events. In other words, searches that involve input or output that is not in the format of an event. This includes searches that:</P> <P>Make use of transforming commands such as stats, chart, and timechart. Transforming commands organize the data they return into tables rather than event lists."</P> <P>Can someone please give me an example or an idea of how to create a timechart using a root search with data models and pivots? Root search does not extract the _time timestamp so I don't see how I can create a pivot chart with a root search. Is there a way I can get the timestamp attributes into the root search so I can create a timechart? I am very confused.</P> <P>Thanks for any help.<BR /> Eric</P> Thu, 24 Jul 2014 19:16:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156891#M44142 EricLloyd79 2014-07-24T19:16:03Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156892#M44143 <P>This doesn't seem to be what root search was designed to do.</P> <P>Could you give an example of why you need to create a root search and have the _time field?</P> Sat, 26 Jul 2014 20:07:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156892#M44143 okrabbe 2014-07-26T20:07:07Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156893#M44144 <P>Well, first you <EM>can</EM> have <CODE>_time</CODE> as part of a root search in a pivot. All you have to do is to include <CODE>_time</CODE> as one of the fields after the <CODE>by</CODE></P> <P>But - just because you want to create a timechart doesn't mean that you need a root search. You could have a root event object - no problem. Then open the pivot and choose the object. For the <STRONG>Split Rows</STRONG>, choose <CODE>_time</CODE>and choose the interval. For the <STRONG>Column Values</STRONG>, choose the statistic that you want. Then you can click on the <STRONG>Line Chart</STRONG> in the black bar on the left, and go from there...</P> Sun, 27 Jul 2014 16:35:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156893#M44144 lguinn2 2014-07-27T16:35:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156894#M44145 <P>I appreciate your feedback about the by _time. I will try that. In regards to using an root event I have tried that with this query but since it includes a join, I cannot use a root event. I posted a separate question regarding the join in a root event. Thanks again. I'll comment back on if it works or not. </P> Sun, 27 Jul 2014 17:40:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156894#M44145 EricLloyd79 2014-07-27T17:40:17Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156895#M44146 <P>lguinn, have you tried that? i tried adding _time to a root search and then the data model would not load in pivot.</P> Mon, 28 Jul 2014 14:55:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156895#M44146 okrabbe 2014-07-28T14:55:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156896#M44147 <P>Here is an example of the query I am trying to do:<BR /><BR /> sourcetype=xxx-yyy FOO | join host [search sourcetype=xxx-yyy BAR] | eval var=(ABC - (DEF + GHI + FOO + BAR)) | timechart span=30m sum(var) by host</P> <P>Im trying to divide the columns up by the host so not sure how to use "by _time" with this one in data models and generate a pivot from it. Thanks for all your help.</P> Mon, 28 Jul 2014 15:43:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156896#M44147 EricLloyd79 2014-07-28T15:43:23Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156897#M44148 <P>Well, first - if you want a timeline then you need to use _time (or <EM>some</EM> time field!) When you use the <CODE>timechart</CODE> command, it takes care of this for you automatically.</P> <P>Try this</P> <P><CODE>sourcetype=xxx-yyy (FOO OR BAR)<BR /> | eval var=(ABC - (DEF + GHI + FOO + BAR)) <BR /> | timechart span=30m sum(var) by host</CODE></P> <P>You don't need the <CODE>join</CODE> at all, as far as I can see... (And sorry about the updates, but I just noticed that both searches use the same sourcetype - even <EM>less</EM> cause for a subsearch!)</P> Tue, 29 Jul 2014 04:09:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156897#M44148 lguinn2 2014-07-29T04:09:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156898#M44149 <P>Lisa, </P> <P>I have same issue, from pivot I am not able to plot the timechart graph, though by _time I am able to get require graph. </P> <P><STRONG>Not Working</STRONG><BR /> | pivot DataModel_AccessService perf count(TPS) AS "tps" sum(execTime) AS<BR /> "execTime" SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname|<BR /> timechart sum(execTime)<BR /> <STRONG>Working</STRONG><BR /> | pivot DataModel_AccessService perf count(TPS) AS "tps" sum(execTime) AS<BR /> "execTime" SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname|<BR /> chart sum(execTime) by _time</P> <P>Thanks,<BR /> Sumit </P> Mon, 28 Sep 2020 18:27:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156898#M44149 sumitnagal 2020-09-28T18:27:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156899#M44150 <P>I have exactly the same issue.</P> Mon, 06 Apr 2015 21:47:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156899#M44150 helge 2015-04-06T21:47:48Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156900#M44151 <P>This seems to work in 6.3. Just make sure you are passing in <STRONG>_time</STRONG> into the pivot query. </P> <PRE><CODE>| pivot DataModel_AccessService perf count(TPS) AS hits SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname | timechart sum(hits) by hostname </CODE></PRE> Wed, 24 Feb 2016 07:17:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-a-root-search-with-data-models/m-p/156900#M44151 spammenot66 2016-02-24T07:17:52Z