Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to obtain a visualisation based on time (x-axis) for a multi series search (table)?

zebu14
Explorer
‎07-11-2018 08:03 AM

Hello,

I am using a table type search with visualisation with multiple fields to render.
The purpose of this search is to match two events in a transaction (incoming file and outgoing file) and calculate some infos (bandwidth, duration...)

My search is :

index="" sourcetype= | transaction file_component maxpause=5m |eval debit=Size/duration | table file_component,Size,duration,debit

This give me a multi series visualisation in which "file_component" (the transaction id) is the x-axis, so events are sorted with transaction id but not with time.

I tried to add:

index="" sourcetype= | transaction file_component maxpause=5m |eval debit=Size/duration | table file_component,Size,duration,debit,_time | sort by _time

This worked for sorting the results by time, but X-axis is still based on transaction id and I can't find the date and time of a transfer by just hovering the mouse on the graphs.

alt text

Any idea?

Thanks

Preview file
61 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 08:59 AM

Hi @zebu14,

You could get _time on x-axis by changing the order ie. index="" sourcetype= | transaction file_component maxpause=5m |eval debit=Size/duration | table _time ,file_component,Size,duration,debit
However, normally time based charting is done based on aggregation function using stats/timechart

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 08:59 AM

Hi @zebu14,

You could get _time on x-axis by changing the order ie. index="" sourcetype= | transaction file_component maxpause=5m |eval debit=Size/duration | table _time ,file_component,Size,duration,debit
However, normally time based charting is done based on aggregation function using stats/timechart

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

zebu14
Explorer
‎07-12-2018 12:52 AM

Thanks for the tip.
I usually use timechart function, but I'm still a beginner and I still don't manage the use of timechart with multiple parameters

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...