Dashboards & Visualizations

Chart responseTime against _time with TransactionID as label (xyseries?)

milestulett
Path Finder

Hi all,

I'm trying to chart some web service response times (eg, 300ms) against time. This is so that over the course of a day I can see a graph of what the response times look like. While this is easy to do, the kicker is that I would like to be able to mouse over a point on the graph and have the transaction ID show up for the event that generated the response time.

Now, the logical way to do this is with xyseries like so: xyseries _time,ID,responseTime

When I go to do this in reality however, I get a mess of results back that do not chart correctly. I can only conclude that 'xyseries' is broken somehow, since it initially starts to plot them correctly, but then falls over and dies. It's not a huge amount of values - only 72 results, so I can't understand it.

Any ideas on how to do a chart of values vs time, with a label attached to the column on the graph?

Thanks guys!

Tags (1)
0 Karma

chimell
Motivator

perhaps the following answer will help you in your task :

Look at this search code which is build with timechart command :

source="airports.csv" |timechart sum(number) as sum by City

The same code search with xyseries command is :

source="airports.csv" |stats sum(number) as sum by _time , City
     | eval s1="Aaa" | makemv s1 | mvexpand s1
     | eval yval=case(s1=="Aaa",sum) 
     | eval series=City |convert timeformat="%a %b %d %Y" ctime(_time) AS c_time  | xyseries c_time,series,yval    

Note that the code : convert timeformat="%a %b %d %Y" ctime(_time) AS c_time is used to change _time command format in the format which is almost like the _time format which appear when we use timechart command.

For more information , click on this link to understand well how use timechart vs xyseries
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Chartmultipledataseries

Notice : just replace attentively all my field with your own field .

Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...