- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to use Timewrap to create comparative graph or...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use Timewrap to create comparative graph or line charts showing transaction totals?
Hey Splunkers,
Last week i asked http://answers.splunk.com/answers/142779/creating-comparative-graphs
I was referred to use timewrap. now that i have this setup, i am struggling with getting the results to show. below is my current search i am using, i posted some return results further below. The problem is this isn't producing visuals in splunk. I am unsure why that is now, my goal here is:
"I want to create a graph or line chart that will show transaction total on a day vs day, week vs week, month vs month, quarter vs quarter."
This particular search i am trying to compare the same hour of each day over the last week.
index=pfe_os_messages sourcetype="log4j" getSettle* earliest =-7@d date_hour=9| rex "getSettle(?:Now|ment)Total.+?(?
Event returns:
2014-07-01 09:45:36,884 INFO [ aaa-AMON0m4y-6LZEjYBu ENC12195954] invoice.AcquireInvoice (AcquireInvoice.foo) - getSettlementTotal(): 0
2014-07-01 09:45:36,883 INFO [foo aaa-AMON0m4y-6LZEjYBu ENC12195954] invoice.AcquireInvoice (AcquireInvoice.foo) - getSettleNowTotal(): 3200
2014-07-01 09:45:32,729 INFO [foo aaa-AMON0m4y-6LZEjYBu ENC12195954] invoice.AcquireInvoice (AcquireInvoice.foo) - getSettleNowTotal(): 3200
2014-07-01 09:45:32,688 INFO [foo aaa-AMON0m4y-6LZEjYBu ENC12195954] invoice.AcquireInvoice (AcquireInvoice.foo) - getSettleNowTotal(): 3200
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't you want ... | timechart sum(settlement) span=1h | ... ?
I think you should take it a step at a time. Get yourself hourly sums over the past week or 8 days first. This may be:
index=pfe_os_messages sourcetype="log4j" getSettle* |
rex "getSettle(?:Now|ment)Total.+?(?d+)" |
search settlement="*" |
timechart sum(settlement) span=1h
Then once you have that right the ... | timewrap w | ... should work fine. Don't worry about the formatting until you get that working, because you can always use something like ...| fieldformat settlement="$" + tostring(settlement, "commas") ... to reformat the output afterwards.
So, untested and will probably will cause errors (but only minor ones - it shouldn't cause errors involving dogs and cats living together!), but ...
index=pfe_os_messages sourcetype="log4j" getSettle* |
rex "getSettle(?:Now|ment)Total.+?(?d+)" |
search settlement="*" |
timechart sum(settlement) span=1h |
timewrap w |
where strftime(_time, "%A") == "Thursday" |
fieldformat settlement="$" + tostring(settlement, "commas")
Your mileages may vary, but maybe this will get you pointed in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still havent quite figured it out but i can get and hourly comparison on a week vs week now.
query:
index=pfe_os_messages sourcetype="log4j" getSettle* | rex "getSettle(?:Now|ment)Total.+?(?
| timewrap w
| where strftime(_time, "%A") == "Thursday"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in your original search should you not change this earliest =-7@d to earliest =-7d@d
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
