Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to plot time chart line chart?

CodingMaestro
Path Finder
‎03-07-2023 02:54 PM

Hello,

So currently I have a trendline like below... 

CodingMaestro_0-1678229234051.png

 

But I need to have the visual in a way where it shows the stats sum(books) for another date which shows the trend of what it was 4 weeks ago for the stats sum (books) and what it is currently, i tried using span but what that does is it shows me how many books for that particular day and not the stats sum(books) in total. I need something like below.. any help would be greatly appreciated.

CodingMaestro_1-1678229665071.png

 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2023 04:20 AM

Yes, you are right - try this

| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)

Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 11:27 PM 
| timechart sum(books) span=4w
0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎03-08-2023 01:53 AM

@ITWhisperer Hello, i tried this but the issue with this is that it is not counting the sum(books) as the total it is only counting the sum(books) total for that particular day.,

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2023 01:56 AM

Please share the complete SPL you are using when you say it is only counting for a particular day

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎03-08-2023 02:30 AM

@ITWhisperer 

index=.....
| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=24h sum(Books) as Total_Books_Read
| search Total_Books_Read!="null"

 

the search is running for the last 24 hours..

So i am getting a visual(trendline) that has 524,900 for sum(books)for the last 24 hours but i need a visual that shows the sum(books) every 4 weeks, for the last year. but when i use span=4w for example and have the search run for last year it shows the sum(books) only for that particular day.   

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2023 03:24 AM

Given

| stats latest(bookName) by id bookNumber _time

Then all the counts given by

| stats dc(bookNumber ) as Books by id _time

will be 1, therefore you just need to count the events from the first stats line by time.

index=.....
| stats latest(bookName) by id bookNumber _time
| timechart span=4w count

 

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎03-08-2023 03:47 AM

I cannot really do that as i need the stats sum(books) because for example the books field might have 8, its not always one henceforth that is why i am using stats sum

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2023 04:20 AM

Yes, you are right - try this

| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)

Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-07-2023 03:30 PM

Basically you want to search for both time ranges you are making comparison for, then do something like

| timechart sum(Books) span=1mon
| timewrap 1y

to wrap the time periods over a 1year period (I see your example shows a monthly figure for another period - so assume it's a 1y comparison)

 

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎03-08-2023 01:51 AM

I tried this did not work 😞

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-07-2023 03:26 PM

What's your current query?

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎03-08-2023 01:50 AM

@bowesmana My current query is as below:
| timechart span=24h sum(Books) as Total_Books
| search Total_Books!="null"

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...