https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225247#M66423 <P>I think you're going to have to use timechart instead of chart.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart</A></P> <P>Maybe..</P> <P>...|timechart span=1d count(Opened) by "Assignment group"</P> Fri, 30 Sep 2016 14:04:07 GMT JDukeSplunk 2016-09-30T14:04:07Z https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225243#M66419 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1947i04C19C398B2D6E92/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Hi ,</P> <P>I want a chart exactly like the image attached. </P> <P>My data is input lookup csv file .<BR /> My time filed name is "Opened"<BR /> Data Global * field name is "Assignment group"</P> <P>Please help me with the query. </P> <P>I tried something like this but this is not what i want. <BR /> index=level3 host=Test | chart count over Opened by "Assignment group"</P> <P>Thanks</P> Thu, 29 Sep 2016 07:39:59 GMT https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225243#M66419 surekhasplunk 2016-09-29T07:39:59Z https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225244#M66420 <P>My first stab at it would be something like this. This will give you 14 days, including yesterday, but not today.</P> <P>index=level3 host=Test earliest="-14d@d" latest="-0d@d" | timechart span=1d limit=20 count Opened by "Assignment group"</P> <P>Then in the visualations tab change the format to Column, and Format, stacked. </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1945iB88323AABED759C8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 29 Sep 2016 14:22:21 GMT https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225244#M66420 JDukeSplunk 2016-09-29T14:22:21Z https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225245#M66421 <P>Are the values in the "Opened" field epochtime values? ie integer numbers of seconds since 1/1/1970, or are they string formatted times. If the latter can you give an example value? Long story short you need to rename the time field to be "_time" and then convert it to epochtime format if it's not already. Then timechart will happily work with it just as though the rows were coming from regular indexed events. </P> Thu, 29 Sep 2016 14:43:27 GMT https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225245#M66421 sideview 2016-09-29T14:43:27Z https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225246#M66422 <P>Now am getting results with the below query but am unable to sort it date wise rather it sorts numerically.<BR /> I have two date fields with values like this:</P> <P>Opened = 09/27<BR /> Opened D = 09/29/16 </P> <P>Figure1</P> <P>index=level3 host=Test | eval _time=strptime("Opened D","%Y-%m-%d %H:%M:%S.%N")|chart count OVER "Opened D" BY "Assignment group" | sort -"Opened D"</P> <P>Figure2<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1946i0CAA79D26330B062/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>One more thing in the x-axis instead of “Opened D” how can I get the actual dates ? <BR /> If I enable event sampling only then am getting the dates if I slect “No event sampling” then the dates aren’t reflecting. How to solve this ?<BR /> And if I am enabling event sampling am missing some dates data also. </P> Fri, 30 Sep 2016 07:19:11 GMT https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225246#M66422 surekhasplunk 2016-09-30T07:19:11Z https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225247#M66423 <P>I think you're going to have to use timechart instead of chart.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart</A></P> <P>Maybe..</P> <P>...|timechart span=1d count(Opened) by "Assignment group"</P> Fri, 30 Sep 2016 14:04:07 GMT https://community.splunk.com/t5/Splunk-Search/chart-time-based/m-p/225247#M66423 JDukeSplunk 2016-09-30T14:04:07Z