https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208126#M60681 <P>Thanks for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> see the attached screen shot i seem to be getting the data into the fields but i cant graph it for my dashboard</P> <P>any ideas ?</P> <P>Many thanks as always</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/636i88FAA844FB4F9347/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> </P> Mon, 21 Sep 2015 23:24:40 GMT loggeruk 2015-09-21T23:24:40Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208123#M60678 <P>Greetings,</P> <P>I am trying to display the value of "002:emailsqu=33" over the last 24 hours and then graph it. The log comes in to the system every 180seconds</P> <P>Date=Wednesday, September 9, 2015 3:10:37 PM<BR /> Location=ImageNowProduction<BR /> 001:sizebundle=21<BR /> 002:emailsqu=33<BR /> 003:createdocumentqu=44</P> <P>Many Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 09 Sep 2015 15:47:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208123#M60678 loggeruk 2015-09-09T15:47:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208124#M60679 <P>Hi @loggeruk,<BR /> I'm a tech writer here at Splunk and I'd like to help. If I'm understanding your question, it sounds like you might want to run a query using a command like "timechart" to aggregate on the "002:emailsqu=33" field in your data , with the time picker set to "Last 24 hours". You can then set up a visualization, such as a line graph, to visualize the results.</P> <P>Here are some resources that might help:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchTutorial/Aboutthetimerangepicker">http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchTutorial/Aboutthetimerangepicker</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/ChartConfigurationReference#Area.2C_Bubble.2C_Bar.2C_Column.2C_Line.2C_and_Scatter_charts">http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/ChartConfigurationReference#Area.2C_Bubble.2C_Bar.2C_Column.2C_Line.2C_and_Scatter_charts</A></P> <P>I hope this helps! If not, let me know and we can keep discussing.</P> <P>All the best,<BR /> @frobinson_splunk</P> Wed, 09 Sep 2015 16:23:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208124#M60679 frobinson_splun 2015-09-09T16:23:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208125#M60680 <P>If emailsqu is already extracted as a field:</P> <PRE><CODE>earliest=-24h sourcetype=foo emailsqu=* | table emailsqu _time </CODE></PRE> <P>or</P> <PRE><CODE>earliest=-24h sourcetype=foo emailsqu=* | timechart span=2m max(emailsqu) as emailsqu </CODE></PRE> <P>or you could use a different span and use <CODE>avg</CODE> instead of max for example.</P> <HR /> <P>If emailsqu is not extracted as a field:</P> <PRE><CODE> earliest=-24h sourcetype=foo | rex "emailsqu=(?&lt;emailsqu&gt;.*) | table emailsqu _time </CODE></PRE> <P>or</P> <PRE><CODE> earliest=-24h sourcetype=foo | rex "emailsqu=(?&lt;emailsqu&gt;.*) | timechart span=2m max(emailsqu) as emailsqu </CODE></PRE> Wed, 09 Sep 2015 16:28:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208125#M60680 aljohnson_splun 2015-09-09T16:28:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208126#M60681 <P>Thanks for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> see the attached screen shot i seem to be getting the data into the fields but i cant graph it for my dashboard</P> <P>any ideas ?</P> <P>Many thanks as always</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/636i88FAA844FB4F9347/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> </P> Mon, 21 Sep 2015 23:24:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208126#M60681 loggeruk 2015-09-21T23:24:40Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208127#M60682 <P>try <CODE>timechart</CODE> instead of <CODE>table</CODE></P> <PRE><CODE> .... | timechart values(textbehindocrdcg2) AS textbehindocrdcg2 </CODE></PRE> <P>cheers, MuS</P> Mon, 21 Sep 2015 23:38:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208127#M60682 MuS 2015-09-21T23:38:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208128#M60683 <P>I used the Pivot function with the MEDIAN option in the end, seems to be working well. Thanks for all the replies <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 25 Sep 2015 22:12:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-values-over-the-last-24-hours/m-p/208128#M60683 loggeruk 2015-09-25T22:12:41Z