Dashboards & Visualizations

How to create a trendline graph for a span of 1 hour?

sru
Engager

Here is the query for the dashboard, please provide a solution to get a trendline graph for a span of 1 hour

sap-abap(WE02)source=VPR DIRECT=2 (MESTYP=MBGMCR) EVENT_TYPE=WE02 
| eval CREDATIM=CREDAT.CRETIM
| eval UPDDATTIM=UPDDAT.UPDTIM
| eval _time=strptime(UPDDATTIM, "%Y%m%d")
| stats  latest(STATUS) as STATUS , earliest(CREDATIM) as CREDATIM, latest(CREDATIM) as CREDATIM_L, earliest(UPDDATTIM) as UPDDATTIM, latest(UPDDATTIM) as UPDDATTIM_L, latest(_time) as _time by DOCNUM  MESTYP
| eval Failed_Count=if(STATUS="51",1,0)
| stats dc(DOCNUM) as TotalIDOCS, sum(Failed_Count) as Failed_Count , earliest(CREDATIM) as CREDATIM, latest(CREDATIM) as CREDATIM_L, earliest(UPDDATTIM) as UPDDATTIM, latest(UPDDATTIM) as UPDDATTIM_L by MESTYP _time
|eval  epochtime=strptime(UPDDATTIM,"%Y%m%d%H%M%S") | eval "IDoc Updated From" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(UPDDATTIM_L,"%Y%m%d%H%M%S") | eval "IDoc Updated To" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(CREDATIM_L,"%Y%m%d%H%M%S") | eval "IDoc Created To" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(CREDATIM,"%Y%m%d%H%M%S") | eval "IDoc Created From" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
| table _time MESTYP  "IDoc Created From" "IDoc Created To" "IDoc Updated From" "IDoc Updated To" TotalIDOCS Failed_Count | join type=left max=0 MESTYP [search `sap-abap(WE02)`source=VPR DIRECT=2 (MESTYP=MBGMCR) EVENT_TYPE=WE02 
| eval UPDDATTIM=UPDDAT.UPDTIM 
| eval _time=strptime(UPDDATTIM, "%Y%m%d%H%M%S")
| dedup _time, STATUS, DOCNUM, MESTYP 
| eval Failed_IDOC=if(STATUS="51",1,0)
| stats sum(Failed_IDOC) as Failed_Count, latest(STATUS) as STATUS by DOCNUM, MESTYP, PARTNR
| where Failed_Count>=4
| eval REP_4_Failing= if(Failed_Count>4 and STATUS=51,1,0)| where REP_4_Failing>=1 ]  | stats count by _time, PARTNR, MESTYP |eval PARTNR_MESTYP = PARTNR + " - " + MESTYP | timechart sum(count) as failure_count span=1h by PARTNR_MESTYP useother=f
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi sru, timechart is usually a fine way of drawing trends, and at a glance, this search seems to end with that, spanned by 1h.

So, what's the issue? Could you post a screenshot of what you are seeing, along with a description of what you would want to see?

Also, a generic dataset might be helpful as well.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...