Hi all,
I'm trying to chart some web service response times (eg, 300ms) against time. This is so that over the course of a day I can see a graph of what the response times look like. While this is easy to do, the kicker is that I would like to be able to mouse over a point on the graph and have the transaction ID show up for the event that generated the response time.
Now, the logical way to do this is with xyseries like so: xyseries _time,ID,responseTime
When I go to do this in reality however, I get a mess of results back that do not chart correctly. I can only conclude that 'xyseries' is broken somehow, since it initially starts to plot them correctly, but then falls over and dies. It's not a huge amount of values - only 72 results, so I can't understand it.
Any ideas on how to do a chart of values vs time, with a label attached to the column on the graph?
Thanks guys!
perhaps the following answer will help you in your task :
Look at this search code which is build with timechart command :
source="airports.csv" |timechart sum(number) as sum by City
The same code search with xyseries command is :
source="airports.csv" |stats sum(number) as sum by _time , City
| eval s1="Aaa" | makemv s1 | mvexpand s1
| eval yval=case(s1=="Aaa",sum)
| eval series=City |convert timeformat="%a %b %d %Y" ctime(_time) AS c_time | xyseries c_time,series,yval
Note that the code : convert timeformat="%a %b %d %Y" ctime(_time) AS c_time is used to change _time command format in the format which is almost like the _time format which appear when we use timechart command.
For more information , click on this link to understand well how use timechart vs xyseries
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Chartmultipledataseries
Notice : just replace attentively all my field with your own field .