https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159118#M44877 <P>Okay, how about a different approach? This is un-tested, but why not try this:</P> <PRE><CODE>index=uv GUID="*" NOT "ERROR" | stats earliest(_time) AS earliest_time latest(_time) AS latest_time by GUID, _time | eval Duration=latest_time-earliest_time | where Duration &gt; 8 | stats count by GUID, Duration, _time TOP GUID | fields - count </CODE></PRE> Tue, 24 Feb 2015 20:58:30 GMT MuS 2015-02-24T20:58:30Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159111#M44870 <P>I have a lot of SOAP req/resp pairs and I was able to match them up and find the time between them (duration). I then input this searchand was returned back all of the unique identifiers (GUIDs) with a duration longer than 8 seconds. Now I want to chart this using Timechart, every time I try to do this, nothing will come up, even though a list of 100+ GUID's was present when I didn't have the Timechart command in there.</P> <P>My original search which returned back rows of expected data in the 'Statistics' tab:</P> <PRE><CODE>index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | WHERE duration&gt;8 </CODE></PRE> <P>My unsuccessful Timechart search which returns back NO data:</P> <PRE><CODE>index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | timechart list(duration) | WHERE duration&gt;8 </CODE></PRE> Tue, 24 Feb 2015 19:06:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159111#M44870 skoelpin 2015-02-24T19:06:59Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159112#M44871 <P>Hi skoelpin, have you tried to use the <CODE>where</CODE> clause directly with the <CODE>timechart</CODE> command like written in the docs <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Using_where_clauses">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Using_where_clauses</A> ? Also, be aware that using the <CODE>list()</CODE> function creates a multi value field, whereas in the first search you're using single value fields for duration.</P> Tue, 24 Feb 2015 19:27:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159112#M44871 MuS 2015-02-24T19:27:37Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159113#M44872 <P>Thanks for the response! I took out there where clause and still have the same problem. My original search (the first one listed in my question) will return back exactly what I'm looking for. But when I add timechart, nothing will appear so I'm not sure if it has anything to do with WHERE. Any other suggestions? </P> Tue, 24 Feb 2015 19:30:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159113#M44872 skoelpin 2015-02-24T19:30:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159114#M44873 <P>Also I think you may be correct with the list() function.. maybe I should be using a different function, any suggestions? </P> Tue, 24 Feb 2015 19:32:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159114#M44873 skoelpin 2015-02-24T19:32:29Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159115#M44874 <P>what is your intention using <CODE>list</CODE> maybe it helps if you tell us what you expect as result</P> Tue, 24 Feb 2015 19:48:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159115#M44874 MuS 2015-02-24T19:48:33Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159116#M44875 <P>The unique identifier (GUID) is tied to BOTH the request and response. So when a SOAP request is sent, it has a timestamp and on the response it also has a timestamp. The Transaction command groups these together so I have an output in the 'Statistics' tab which shows the GUID and total duration (time for each SOAP request to respond). </P> <PRE><CODE>Duration GUID 9.3387 dsf234-sdf-234-dsf-344 11.234 jhhbj-767-sdfds-sdfds 10.333 dfds3-h33-hbh3-23jjkk </CODE></PRE> <P>So I currently have this output with my first query, but now I want to make a timechart visually showing the duration. I've tried using count(duration), list(duration), and values(duration) with no luck</P> Tue, 24 Feb 2015 19:56:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159116#M44875 skoelpin 2015-02-24T19:56:07Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159117#M44876 <P>Have you tried this:</P> <PRE><CODE> index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| table GUID duration | WHERE duration &gt; 8 | sort duration desc </CODE></PRE> <P>Also, switch the tab to visualization and select "column" or "line"</P> <P>(I know. Kind of tacky.)</P> Tue, 24 Feb 2015 20:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159117#M44876 sk314 2015-02-24T20:49:07Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159118#M44877 <P>Okay, how about a different approach? This is un-tested, but why not try this:</P> <PRE><CODE>index=uv GUID="*" NOT "ERROR" | stats earliest(_time) AS earliest_time latest(_time) AS latest_time by GUID, _time | eval Duration=latest_time-earliest_time | where Duration &gt; 8 | stats count by GUID, Duration, _time TOP GUID | fields - count </CODE></PRE> Tue, 24 Feb 2015 20:58:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159118#M44877 MuS 2015-02-24T20:58:30Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159119#M44878 <P>I see what you did there but unfortunately did not work, I was finally able to get it and will post my solution below. Thanks for your help and time! <BR /> I appreciate it </P> Tue, 24 Feb 2015 21:02:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159119#M44878 skoelpin 2015-02-24T21:02:28Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159120#M44879 <P>This kind of worked but not exactly what I was looking for. Thanks for taking the time to help though! </P> Tue, 24 Feb 2015 21:03:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159120#M44879 skoelpin 2015-02-24T21:03:13Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159121#M44880 <P>I was finally able to get it with this query. i was unaware that Splunk has a built in Visualization editor which helped a lot </P> <PRE><CODE>index=uv GUID1="*" NOT "ERROR" | transaction GUID1 startswith="CalculateTaxRequest" endswith="CalculatetaxResponse" | where duration&gt;8| timechart count by duration </CODE></PRE> Tue, 24 Feb 2015 21:05:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-WHERE-duration-gt-8-not-returning-any/m-p/159121#M44880 skoelpin 2015-02-24T21:05:28Z