Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to draw cumulative timechart using a csv file?

vcanal
Explorer
‎09-05-2022 09:51 AM

Hello,

I'm trying to draw a cumulative timechart using a csv file which contains events, each event with its starting date and its ending date (basically three fields : "EventName", "StartingDate" and "EndingDate"). The line in the chart should increase when an event starts and decrease when an event finishes. I attached an example of what I am trying to explain, hope it helps.

I tried to create time ranges with the starting and ending date to draw the chart I want, but I'm not sure it's the correct way to do it...

Thanks in advance

Labels (2)
Labels
Preview file
56 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2022 08:13 AM

No, I missed the days in the multiplication - having said that, use relative_time() instead as it copes with DST changes better - also set the span for timechart so it doesn't default to something else

| eval days=mvrange(0, floor((EndingDate - StartingDate) / (60*60*24)))
| mvexpand days
| eval StartingDate = relative_time(StartingDate,"+".days."d")
| eval _time = StartingDate
| timechart span=1d count

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 10:36 AM 
| eval days=mvrange(0, floor((EndingDate - StartingDate) / (60*60*24)))
| mvexpand days
| eval StartingDate = StartingDate + (60*60*24)
| eval _time = StartingDate
| timechart count
Reply
Solved! Jump to solution

vcanal
Explorer
‎09-06-2022 05:40 AM

Thank you for your quick response ! 

I tried your solution (the csv test file and the result are attached), but the line doesn't remain constant like I would like. 

Did I miss something ?

Preview file
70 KB
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2022 08:13 AM

No, I missed the days in the multiplication - having said that, use relative_time() instead as it copes with DST changes better - also set the span for timechart so it doesn't default to something else

| eval days=mvrange(0, floor((EndingDate - StartingDate) / (60*60*24)))
| mvexpand days
| eval StartingDate = relative_time(StartingDate,"+".days."d")
| eval _time = StartingDate
| timechart span=1d count
Reply
Solved! Jump to solution

vcanal
Explorer
‎09-06-2022 09:03 AM

Thanks a lot, it's exactly what I was looking for!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...