Dashboards & Visualizations

How to create a chart with Begin datetime in x axis and end Datetime in Y axis

roysoman
Engager

I have a following query
SEARCH |eval starttime=if(searchmatch("Command-line options for this run"), _time, null())|eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())| transaction Host,sourcetype, startswith="Command-line options for this run" endswith="Run ended successfully with exit code 0"| eval BeginDateTime=strftime(starttime, "%m/%d/%y %I:%M:%S:%p") | eval FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p") | table BeginDateTime FinishDateTime

Which display BeginDateTime FinishDateTime values properly, But when I try to create a chart from that , its not pulling correct value into Y axis,, Tried timechart and chart options . No luck.. can you help

BeginDateTime↕  FinishDateTime↕

12/02/19 09:15:12:PM 12/03/19 02:59:29:AM
12/01/19 09:15:13:PM 12/02/19 04:16:31:AM
11/30/19 09:15:11:PM 12/01/19 04:12:12:AM
11/29/19 09:15:10:PM 11/30/19 01:49:18:AM
11/28/19 09:15:13:PM 11/29/19 02:07:20:AM
11/27/19 09:15:13:PM 11/28/19 02:44:00:AM
11/26/19 09:15:10:PM 11/27/19 04:47:54:AM

0 Karma
1 Solution

woodcock
Esteemed Legend

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

View solution in original post

0 Karma

woodcock
Esteemed Legend

I just saw that you'd like to do time in both axes. The only way to do this is either to find a custom visualization tool on SplunkBase (filter by App Contents -> Visualizations ) or to abuse the scatterplot visualization in core Splunk. Here is a post to get you started on the latter:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html

0 Karma

woodcock
Esteemed Legend

Never use transaction in a production search. Try this:

SEARCH
| eval starttime=if(searchmatch("Command-line options for this run"), _time, null())
| eval endtime=if(searchmatch("Run ended successfully with exit code 0"), _time, null())
| stats min(_time) AS _time max(_time) AS endtime range(_time) AS duration count BY Host sourcetype
| fieldformat BeginDateTime=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| fieldformat FinishDateTime=strftime(endtime, "%m/%d/%y %I:%M:%S:%p")

Then this will work

... | table BeginDateTime FinishDateTime

And alternatively (not sequentially) so will this:

... | timechart Your stuff here

The reason that timechart is failing is that you are throwing away (or modifying) _time.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...