Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a chart with Begin datetime in x axis and end Datetime in Y axis

roysoman
Engager
‎12-03-2019 12:46 PM

I have a following query
SEARCH |eval starttime=if(searchmatch("Command-line options for this run"), _time, null())|eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())| transaction Host,sourcetype, startswith="Command-line options for this run" endswith="Run ended successfully with exit code 0"| eval BeginDateTime=strftime(starttime, "%m/%d/%y %I:%M:%S:%p") | eval FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p") | table BeginDateTime FinishDateTime

Which display BeginDateTime FinishDateTime values properly, But when I try to create a chart from that , its not pulling correct value into Y axis,, Tried timechart and chart options . No luck.. can you help

BeginDateTime↕  FinishDateTime↕

12/02/19 09:15:12:PM 12/03/19 02:59:29:AM
12/01/19 09:15:13:PM 12/02/19 04:16:31:AM
11/30/19 09:15:11:PM 12/01/19 04:12:12:AM
11/29/19 09:15:10:PM 11/30/19 01:49:18:AM
11/28/19 09:15:13:PM 11/29/19 02:07:20:AM
11/27/19 09:15:13:PM 11/28/19 02:44:00:AM
11/26/19 09:15:10:PM 11/27/19 04:47:54:AM

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2019 06:00 PM

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2019 06:00 PM

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2019 05:53 PM

Never use transaction in a production search. Try this:

SEARCH
| eval starttime=if(searchmatch("Command-line options for this run"), _time, null())
| eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())
| stats min(_time) AS _time max(_time) AS endtime range(_time) AS duration count BY Host sourcetype
| fieldformat BeginDateTime=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| fieldformat FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p")

Then this will work

... | table BeginDateTime FinishDateTime

And alternatively (not sequentially) so will this:

... | timechart Your stuff here

The reason that timechart is failing is that you are throwing away (or modifying) _time.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...