Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a chart with Begin datetime in x axis and end Datetime in Y axis

roysoman
Engager
‎12-03-2019 12:46 PM

I have a following query
SEARCH |eval starttime=if(searchmatch("Command-line options for this run"), _time, null())|eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())| transaction Host,sourcetype, startswith="Command-line options for this run" endswith="Run ended successfully with exit code 0"| eval BeginDateTime=strftime(starttime, "%m/%d/%y %I:%M:%S:%p") | eval FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p") | table BeginDateTime FinishDateTime

Which display BeginDateTime FinishDateTime values properly, But when I try to create a chart from that , its not pulling correct value into Y axis,, Tried timechart and chart options . No luck.. can you help

BeginDateTime↕  FinishDateTime↕

12/02/19 09:15:12:PM 12/03/19 02:59:29:AM
12/01/19 09:15:13:PM 12/02/19 04:16:31:AM
11/30/19 09:15:11:PM 12/01/19 04:12:12:AM
11/29/19 09:15:10:PM 11/30/19 01:49:18:AM
11/28/19 09:15:13:PM 11/29/19 02:07:20:AM
11/27/19 09:15:13:PM 11/28/19 02:44:00:AM
11/26/19 09:15:10:PM 11/27/19 04:47:54:AM

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2019 06:00 PM

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2019 06:00 PM

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2019 05:53 PM

Never use transaction in a production search. Try this:

SEARCH
| eval starttime=if(searchmatch("Command-line options for this run"), _time, null())
| eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())
| stats min(_time) AS _time max(_time) AS endtime range(_time) AS duration count BY Host sourcetype
| fieldformat BeginDateTime=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| fieldformat FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p")

Then this will work

... | table BeginDateTime FinishDateTime

And alternatively (not sequentially) so will this:

... | timechart Your stuff here

The reason that timechart is failing is that you are throwing away (or modifying) _time.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
Top