Dashboards & Visualizations

How to create a line graph in XML that displays the (latest time - earliest time)

Communicator

Background: Every day, I run a script on a log file which filters it into another file. I then indexed the filtered file. So I want to create a line graph that takes the earliest time and latest time (first line and last line of the filtered file) and display it on a line graph.

For example: In the log file I will have...

2013-06-20 03:12:30,001 INFORMATION Begin TITLE OF SCRIPT
.
.
.

2013-06-20 04:12:30,001 INFORMATION Finished TITLE OF SCRIPT 

(It can be different from the first script)

So the fields I have at the moment are..... Date = 2013-06-20, datehour=04, dateminute=12, date_second=30, position=finished

What I have so far for my search is...

host=... source=... | search earliest | 
Tags (4)
0 Karma

Communicator

So I still havent been able to figure this out. I looked at every command with the answer below. However, still cant get the right output. My XML code is...

<row>
    <panel>
      <chart>
        <title>Completion Time</title>
        <searchString>host=.... source=.... | stats max(_time) AS Latest min(_time) AS Earliest | eval temp=Latest - Earliest | table temp | makemv temp | mvexpand temp | rename temp as _time | eval Series=1</searchString>
        <earliestTime>$timetoken.earliest$</earliestTime>
        <latestTime>$timetoken.latest$</latestTime>
        <search>
          <query>host=.... source=..... | stats max(_time) AS Latest min(_time) AS Earliest | eval temp=Latest - Earliest | table temp | makemv temp | mvexpand temp | rename temp as _time | eval Series=1</query>
          <earliest>$timetoken.earliest$</earliest>
          <latest>$timetoken.latest$</latest>
        </search>
                <option name="charting.chart">line</option>
                <option name="charting.axisY2.enabled">false</option>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">zero</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="charting.axisTitleY.text">Completion Time</option>
                <option name="charting.drilldown">all</option>
            </chart>
    </panel>
  </row>
0 Karma

Communicator

@somesoni2

0 Karma

Communicator

Its not showing a line at all on my graph.. And it goes back to 1970 for some reason even though the pull down I have on the dashboard is only at today. (Today is default)

0 Karma

SplunkTrust
SplunkTrust

Try something like this

your base search | stats max(_time) as Latest min(_time) as Earliest| eval temp=Latest." ".Earliest | table temp| makemv temp | mvexpand temp | rename temp as _time | eval Series=1

Communicator

Could you try to explain your commands? Just for future reference. Thank you for your answer.

0 Karma

Communicator

Was latest." ".earliest for an operator?

0 Karma