https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200185#M58010 <P>Are you wanting to know how many of the messages you are receiving for a given timeframe?</P> Tue, 22 Dec 2015 21:17:03 GMT cmccormick 2015-12-22T21:17:03Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200184#M58009 <P>I have some events with <CODE>message</CODE> field as <CODE>Bar Hello..</CODE>, <CODE>Bar Hi...</CODE>, <CODE>Bar Foo...</CODE> and so on. I do not know beforehand how many this type of <CODE>message</CODE> are there. It is purely dynamical. But this messages are generated one at a time and timestamp of events with this messages are different. Now I want to show the search results as <CODE>timechart</CODE>. Right now I have this</P> <PRE><CODE>index=baz host=server1 message="Bar*" | table host message _time | sort by -_time </CODE></PRE> Tue, 22 Dec 2015 20:42:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200184#M58009 anirban_nag 2015-12-22T20:42:30Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200185#M58010 <P>Are you wanting to know how many of the messages you are receiving for a given timeframe?</P> Tue, 22 Dec 2015 21:17:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200185#M58010 cmccormick 2015-12-22T21:17:03Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200186#M58011 <P>No I don't want to know how many but I want to create a line chart based on the messages and their frequency. Though I think I got close to it <CODE>index=baz host=server1 message="Bar*" | table host message _time | sort by -_time | timechart span=2m count by message usenull=f</CODE>. Now it would be good if in the graph it is a single line with different color for different type of message.</P> Tue, 22 Dec 2015 21:28:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200186#M58011 anirban_nag 2015-12-22T21:28:23Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200187#M58012 <P>You should just need the timechart command. </P> <P>See Below:</P> <P>index=baz host=server1 message="Bar*" |timechart count(message) by message usenull=f useother=f</P> Wed, 23 Dec 2015 14:59:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200187#M58012 dcharboneau_spl 2015-12-23T14:59:14Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200188#M58013 <P>It would be good if in the graph it is a single line with different color for different type of message.</P> Thu, 24 Dec 2015 21:21:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200188#M58013 anirban_nag 2015-12-24T21:21:49Z https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200189#M58014 <P>Not sure how that would work. A single line for x number of message types won't work as a visualization. you could do a Stacked column Chart view instead of a line chart. Above should produce multiple lines each a different color and one line for each message type over time.</P> Mon, 28 Dec 2015 13:01:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-a-timechart-graph-from-a-search-result/m-p/200189#M58014 dcharboneau_spl 2015-12-28T13:01:25Z