Dashboards & Visualizations

How to plot time chart line chart?

CodingMaestro
Path Finder

Hello,

So currently I have a trendline like below... 

CodingMaestro_0-1678229234051.png

 

But I need to have the visual in a way where it shows the stats sum(books) for another date which shows the trend of what it was 4 weeks ago for the stats sum (books) and what it is currently, i tried using span but what that does is it shows me how many books for that particular day and not the stats sum(books) in total. I need something like below.. any help would be greatly appreciated.

CodingMaestro_1-1678229665071.png

 

 

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Yes, you are right - try this

| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)

Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| timechart sum(books) span=4w
0 Karma

CodingMaestro
Path Finder

@ITWhisperer Hello, i tried this but the issue with this is that it is not counting the sum(books) as the total it is only counting the sum(books) total for that particular day.,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the complete SPL you are using when you say it is only counting for a particular day

0 Karma

CodingMaestro
Path Finder

@ITWhisperer 

index=.....
| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=24h sum(Books) as Total_Books_Read
| search Total_Books_Read!="null"

 

the search is running for the last 24 hours..

So i am getting a visual(trendline) that has 524,900 for sum(books)for the last 24 hours but i need a visual that shows the sum(books) every 4 weeks, for the last year. but when i use span=4w for example and have the search run for last year it shows the sum(books) only for that particular day.   

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Given

| stats latest(bookName) by id bookNumber _time

Then all the counts given by

| stats dc(bookNumber ) as Books by id _time

will be 1, therefore you just need to count the events from the first stats line by time.

index=.....
| stats latest(bookName) by id bookNumber _time
| timechart span=4w count

 

0 Karma

CodingMaestro
Path Finder

I cannot really do that as i need the stats sum(books) because for example the books field might have 8, its not always one henceforth that is why i am using stats sum

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, you are right - try this

| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)

Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.

bowesmana
SplunkTrust
SplunkTrust

Basically you want to search for both time ranges you are making comparison for, then do something like

| timechart sum(Books) span=1mon
| timewrap 1y

to wrap the time periods over a 1year period (I see your example shows a monthly figure for another period - so assume it's a 1y comparison)

 

0 Karma

CodingMaestro
Path Finder

I tried this did not work 😞

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What's your current query?

0 Karma

CodingMaestro
Path Finder

@bowesmana My current query is as below:
| timechart span=24h sum(Books) as Total_Books
| search Total_Books!="null"

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...