Dashboards & Visualizations

How to create a trendline graph for a span of 1 hour?

sru
Engager

Here is the query for the dashboard, please provide a solution to get a trendline graph for a span of 1 hour

sap-abap(WE02)source=VPR DIRECT=2 (MESTYP=MBGMCR) EVENT_TYPE=WE02 
| eval CREDATIM=CREDAT.CRETIM
| eval UPDDATTIM=UPDDAT.UPDTIM
| eval _time=strptime(UPDDATTIM, "%Y%m%d")
| stats  latest(STATUS) as STATUS , earliest(CREDATIM) as CREDATIM, latest(CREDATIM) as CREDATIM_L, earliest(UPDDATTIM) as UPDDATTIM, latest(UPDDATTIM) as UPDDATTIM_L, latest(_time) as _time by DOCNUM  MESTYP
| eval Failed_Count=if(STATUS="51",1,0)
| stats dc(DOCNUM) as TotalIDOCS, sum(Failed_Count) as Failed_Count , earliest(CREDATIM) as CREDATIM, latest(CREDATIM) as CREDATIM_L, earliest(UPDDATTIM) as UPDDATTIM, latest(UPDDATTIM) as UPDDATTIM_L by MESTYP _time
|eval  epochtime=strptime(UPDDATTIM,"%Y%m%d%H%M%S") | eval "IDoc Updated From" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(UPDDATTIM_L,"%Y%m%d%H%M%S") | eval "IDoc Updated To" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(CREDATIM_L,"%Y%m%d%H%M%S") | eval "IDoc Created To" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
|eval  epochtime=strptime(CREDATIM,"%Y%m%d%H%M%S") | eval "IDoc Created From" = strftime(epochtime, "%m/%d/%Y %H:%M:%S")
| table _time MESTYP  "IDoc Created From" "IDoc Created To" "IDoc Updated From" "IDoc Updated To" TotalIDOCS Failed_Count | join type=left max=0 MESTYP [search `sap-abap(WE02)`source=VPR DIRECT=2 (MESTYP=MBGMCR) EVENT_TYPE=WE02 
| eval UPDDATTIM=UPDDAT.UPDTIM 
| eval _time=strptime(UPDDATTIM, "%Y%m%d%H%M%S")
| dedup _time, STATUS, DOCNUM, MESTYP 
| eval Failed_IDOC=if(STATUS="51",1,0)
| stats sum(Failed_IDOC) as Failed_Count, latest(STATUS) as STATUS by DOCNUM, MESTYP, PARTNR
| where Failed_Count>=4
| eval REP_4_Failing= if(Failed_Count>4 and STATUS=51,1,0)| where REP_4_Failing>=1 ]  | stats count by _time, PARTNR, MESTYP |eval PARTNR_MESTYP = PARTNR + " - " + MESTYP | timechart sum(count) as failure_count span=1h by PARTNR_MESTYP useother=f
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi sru, timechart is usually a fine way of drawing trends, and at a glance, this search seems to end with that, spanned by 1h.

So, what's the issue? Could you post a screenshot of what you are seeing, along with a description of what you would want to see?

Also, a generic dataset might be helpful as well.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...