https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229168#M67875 <P>Thanks! I figured it out just before your post. Thanks again for another great solution!</P> Mon, 15 Aug 2016 13:52:46 GMT chadman 2016-08-15T13:52:46Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229162#M67869 <P>I have a timechart that works ok, but can be hard to read because of how Splunk averages the data. I have tried to show the chart as values and that also works, but still is hard to read. My goal is so have a nice way to preset some time ranges to the user. The data is either true/false and gets reported every min. I would like to display to the users all the time ranges the data is true in the search. Below is the chart I tried, but I'm not sure a chart is the best way to display this.</P> <PRE><CODE>sourcetype="data1" host=host1 | eval "Workstation Locked" = if(lock="True",1,0) | chart values("Workstation Locked") as "Workstation Locked" by date </CODE></PRE> Mon, 15 Aug 2016 12:44:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229162#M67869 chadman 2016-08-15T12:44:02Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229163#M67870 <P>Have you look at the timeline app?</P> <P><A href="https://splunkbase.splunk.com/app/3120/">https://splunkbase.splunk.com/app/3120/</A></P> Mon, 15 Aug 2016 12:54:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229163#M67870 sundareshr 2016-08-15T12:54:03Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229164#M67871 <P>that does look cool, but I prefer a search option that does not require an addon if that's possible. It does not have to be in a chart. </P> Mon, 15 Aug 2016 13:04:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229164#M67871 chadman 2016-08-15T13:04:27Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229165#M67872 <P>Try this then</P> <PRE><CODE>sourcetype="data1" host=host1 | autoregress lock | streamstats count(eval(lock!=lock_p1)) as group | stats earliest(_time) as start latest(_time) as end by host group | eval start=strftime(start, "%c") | eval end=strftime(end, "%c") </CODE></PRE> Mon, 15 Aug 2016 13:31:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229165#M67872 sundareshr 2016-08-15T13:31:47Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229166#M67873 <P>Looks good! I forgot to mention in my post that I would only like to see the time ranges when lock=1. I tired to add a | where lock=1 in the beginning of the search, but that broke it.</P> Mon, 15 Aug 2016 13:48:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229166#M67873 chadman 2016-08-15T13:48:20Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229167#M67874 <P>Add the <CODE>where</CODE> after just before the <CODE>stats</CODE>. Like this</P> <PRE><CODE> sourcetype="data1" host=host1 | autoregress lock | streamstats count(eval(lock!=lock_p1)) as group | where lock=1 | stats earliest(_time) as start latest(_time) as end by host group | eval start=strftime(start, "%c") | eval end=strftime(end, "%c") </CODE></PRE> Mon, 15 Aug 2016 13:51:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229167#M67874 sundareshr 2016-08-15T13:51:41Z https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229168#M67875 <P>Thanks! I figured it out just before your post. Thanks again for another great solution!</P> Mon, 15 Aug 2016 13:52:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-time-ranges-based-on-chart-table-data/m-p/229168#M67875 chadman 2016-08-15T13:52:46Z