topic Re: How to chart values over time in Splunk Search

How to chart values over time

theouhuios — Thu, 27 Aug 2015 14:14:13 GMT

Hello

What I am trying to do is to literally chart the values over time. Now the value can be anything. It can be a string too. My goal here is to just show what values occurred over that time

Eg Data:

I need to be able to show in a graph that these job_id's were being executed at that point of time. Is it possible? Do I need to use some advance charting mechanism to show this?

Re: How to chart values over time

woodcock — Thu, 27 Aug 2015 14:51:57 GMT

Something like this will work:

... | bucket _time span=1d | stats values(job_id) by _time

Re: How to chart values over time

richgalloway — Thu, 27 Aug 2015 14:53:06 GMT

Have you tried appending a timechart command to your search?

... | timechart values(job_id)

Re: How to chart values over time

theouhuios — Thu, 27 Aug 2015 14:58:54 GMT

I did. I think the problem is its not a straight number . As you see in the image above, it has a _ in between the two numbers. May be because of that it doesn't know how to chart it

Re: How to chart values over time

theouhuios — Thu, 27 Aug 2015 15:02:46 GMT

|replace "*_*" with "**" in job_id

This make it a number. But thats not really what I want to do. I just want to show the value by _time.

Re: How to chart values over time

richgalloway — Thu, 27 Aug 2015 15:07:09 GMT

I sort of expected that. Charting is something best done with numbers. I'm not sure of the utility of charting unique strings. @woodcock's answer will show job_id's broken down by time. Perhaps you can experiment with different visualizations to see if any work for you.

Re: How to chart values over time

somesoni2 — Thu, 27 Aug 2015 16:32:42 GMT

If you just want to plot a point to denote that a particular job ID was run, try something like this

your current search giving above table | mvexpand job_id | eval value=1 | table _time job_id value

This will plot a value of 1 for all job_id (select column chart).

*Updated answer *

 your current search giving above table | mvexpand job_id | eval value=1 | chart values(value) over _time by job_id limit=0

Re: How to chart values over time

richgalloway — Thu, 27 Aug 2015 17:00:30 GMT

Thanks for the correction.

Re: How to chart values over time

theouhuios — Thu, 27 Aug 2015 17:39:40 GMT

Well yes, thats the plan. But I still need to show which job_id was running then.

Re: How to chart values over time

mporath_splunk — Thu, 27 Aug 2015 17:56:31 GMT

Unfortunately there's no out-of-the-box way to do that (yet). Using a hack gets you pretty close: You could do

... | timechart values(linecount) by job_id span=1m

Given fine enough resolution for span, this sets the value for each job_id to 1. You can then do a line chart, like so:

Re: How to chart values over time

somesoni2 — Thu, 27 Aug 2015 18:00:45 GMT

Give updated answer a try

Re: How to chart values over time

woodcock — Thu, 27 Aug 2015 23:20:02 GMT

This should do it:

... | timechart span=1h count by job_id