Archive

Timechart results in to week buckets - keeps forcing monthly

New Member

Splunk can be pretty mean at times and do things that have no sense. Im trying to create a chart that shows a few percentages from data going back 6 months which is plopped in to week buckets. The below query is only creating monthly buckets though...

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
| bin _time span=7d
| timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

All help is appreciated greatly.

Tags (1)
0 Karma
1 Solution

Super Champion

can you either remove the bin _time or make the timechart into a chart and see if that works?

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

OR

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | bin _time span=7d
 | chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f 

View solution in original post

0 Karma

New Member

Cheers cmerriman.

The latter option worked. Am I right in saying its bizarre that my original query was duff?

0 Karma

Splunk Employee
Splunk Employee

did you try moving span ?

 | timechart span=7d mean(percent) as percent by WORKFLOWSTATUSID usenull=f 

If I recall correctly, order matters here

SplunkTrust
SplunkTrust

That was my first thought too

0 Karma

Super Champion

can you either remove the bin _time or make the timechart into a chart and see if that works?

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d

OR

index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
 | eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other") 
 | bin _time span=7d
 | chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f 

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

What happens if you change 7d to 1w?

0 Karma

New Member

Here is an image of the results:

alt text

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!