https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273076#M82270 <P>There's a few ways to do this. Here's one:</P> <PRE><CODE>|gentimes start="12/1/2015" end="12/15/2015" | convert timeformat="%m/%d/%Y" ctime(starttime) AS mytime| eval xy=if(mytime&gt;"12/10/2015",150,100) | fields mytime xy </CODE></PRE> <P>I do a lot of goofiness to get the days in the right format which you shouldn't have to do. The key is the <CODE>eval</CODE> statement. All the stuff leading up to that just generates a set of dates through the first half of December, then converts the created "starttime" from a unix epoch value into a "regular date" named mytime (well, regular for North Americans, mostly, but close enough for others to figure it out). I do that mostly so you can see the precise use case you seemed to need, that of doing date comparison.</P> <P>Then the eval just says if mytime is bigger than 12/10/2015 to make it 150, otherwise make it 100.<BR /><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/890i8A2D269C9EF1EC73/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><STRONG>For more complex logic</STRONG>, you could use (re-wrapped because it got a bit long)</P> <PRE><CODE>|gentimes start="12/1/2015" end="12/15/2015" | convert timeformat="%m/%d/%Y" ctime(starttime) AS mytime | eval xy=case(mytime&gt;"12/05/2015" AND mytime&lt;"12/10/2015",150,1==1,100) | fields mytime xy </CODE></PRE> <P>Case does a "test1", "val1 if test1 was true", test2, "val2 if test2 was true", etc... The "1==1" is always true, so that sets the last one as a default of sorts.</P> Tue, 15 Dec 2015 22:09:55 GMT Richfez 2015-12-15T22:09:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273075#M82269 <P>I think this can be done, but I am having some troubles...</P> <P>This is what i am starting with, but not sure how to get it more like what I want below: </P> <PRE><CODE>|gentimes start=-1 | eval temp=100 | eval count="ColumChart2" | table temp count | append [|stats count|eval count="END OF FILE"] </CODE></PRE> <P>What I am hoping for is something like (excuse my code, it is more an explanation at this stage): </P> <PRE><CODE>eval x = 100 | where date &gt;=1/1/2014 AND date &lt;=9/1/2014 | eval y = 150 | where date &gt;=10/1/2014 AND date &lt;=16/1/2014 </CODE></PRE> <P>which I would hope would give me something like this graph: <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/891iC6E93FB63B6E0925/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>And then ultimately I am holing for something like <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/892iE20850A120D3CDFD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 15 Dec 2015 21:00:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273075#M82269 HattrickNZ 2015-12-15T21:00:02Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273076#M82270 <P>There's a few ways to do this. Here's one:</P> <PRE><CODE>|gentimes start="12/1/2015" end="12/15/2015" | convert timeformat="%m/%d/%Y" ctime(starttime) AS mytime| eval xy=if(mytime&gt;"12/10/2015",150,100) | fields mytime xy </CODE></PRE> <P>I do a lot of goofiness to get the days in the right format which you shouldn't have to do. The key is the <CODE>eval</CODE> statement. All the stuff leading up to that just generates a set of dates through the first half of December, then converts the created "starttime" from a unix epoch value into a "regular date" named mytime (well, regular for North Americans, mostly, but close enough for others to figure it out). I do that mostly so you can see the precise use case you seemed to need, that of doing date comparison.</P> <P>Then the eval just says if mytime is bigger than 12/10/2015 to make it 150, otherwise make it 100.<BR /><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/890i8A2D269C9EF1EC73/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><STRONG>For more complex logic</STRONG>, you could use (re-wrapped because it got a bit long)</P> <PRE><CODE>|gentimes start="12/1/2015" end="12/15/2015" | convert timeformat="%m/%d/%Y" ctime(starttime) AS mytime | eval xy=case(mytime&gt;"12/05/2015" AND mytime&lt;"12/10/2015",150,1==1,100) | fields mytime xy </CODE></PRE> <P>Case does a "test1", "val1 if test1 was true", test2, "val2 if test2 was true", etc... The "1==1" is always true, so that sets the last one as a default of sorts.</P> Tue, 15 Dec 2015 22:09:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273076#M82270 Richfez 2015-12-15T22:09:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273077#M82271 <P>beautiful answer, 1 pet hate I have is that date format <CODE>%m/%d/%Y</CODE> but thats just me. tks</P> Tue, 15 Dec 2015 22:25:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-using-eval-to-create-the-fields-and/m-p/273077#M82271 HattrickNZ 2015-12-15T22:25:34Z