How to change the TimeChart values on the basis of... - Splunk Community

Dashboards & Visualizations

Hi Everyone,

I am using Timechart on two same queries but their sorting is different.But still the same values are coming for both the queries. Can someone guide me why.

Below are my queries:

index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d")
|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime

index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d")
|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort TotalExecTime

Can someone guide me where I am wrong.

Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub Hello Splunk Community! Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...