Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create a chart with Begin datetime in x ax...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a following query
SEARCH |eval starttime=if(searchmatch("Command-line options for this run"), _time, null())|eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())| transaction Host,sourcetype, startswith="Command-line options for this run" endswith="Run ended successfully with exit code 0"| eval BeginDateTime=strftime(starttime, "%m/%d/%y %I:%M:%S:%p") | eval FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p") | table BeginDateTime FinishDateTime
Which display BeginDateTime FinishDateTime values properly, But when I try to create a chart from that , its not pulling correct value into Y axis,, Tried timechart and chart options . No luck.. can you help
BeginDateTime↕ FinishDateTime↕
12/02/19 09:15:12:PM 12/03/19 02:59:29:AM
12/01/19 09:15:13:PM 12/02/19 04:16:31:AM
11/30/19 09:15:11:PM 12/01/19 04:12:12:AM
11/29/19 09:15:10:PM 11/30/19 01:49:18:AM
11/28/19 09:15:13:PM 11/29/19 02:07:20:AM
11/27/19 09:15:13:PM 11/28/19 02:44:00:AM
11/26/19 09:15:10:PM 11/27/19 04:47:54:AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never use transaction in a production search. Try this:
SEARCH
| eval starttime=if(searchmatch("Command-line options for this run"), _time, null())
| eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())
| stats min(_time) AS _time max(_time) AS endtime range(_time) AS duration count BY Host sourcetype
| fieldformat BeginDateTime=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| fieldformat FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p")
Then this will work
... | table BeginDateTime FinishDateTime
And alternatively (not sequentially) so will this:
... | timechart Your stuff here
The reason that timechart is failing is that you are throwing away (or modifying) _time.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
