Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to present eventstats as timechart?

Marco204
Explorer
‎08-22-2022 10:02 AM

Hi there,

so I have a search which contains the field myMetric (done within field extraction).

I want to show a dashboard panel presenting only myMetrics on the y-axis and time on the x-axis.

I fail using "| timechart" since I am forced to use a statistic function or count (I want to show myMetric, not the count).

Using "| eventstats" my first problem was that the dashboard legend shows way to many fields, but I was able to remove them using "| fields -a,b,c". But the x-axis is labeled with "Time" instead of showing concrete datetimes.

So how can I archive this?

Labels (1)
Labels
Preview file
492 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2022 10:51 AM

timechart, eventstats, stats, streamstats, and chart all require an aggregating function.  If the field being graphed is discrete enough (1 value per interval) then values(myMetric) should do the job.  Otherwise, use max(), min(), or avg(), whichever is most appropriate.

A possible alternative is the xyseries command, which converts selected fields into a format suitable for graphing.

 

<<your search to obtain 'myMetric'>>
| eval label="some text"
| xyseries _time label myMetric

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2022 10:51 AM

timechart, eventstats, stats, streamstats, and chart all require an aggregating function.  If the field being graphed is discrete enough (1 value per interval) then values(myMetric) should do the job.  Otherwise, use max(), min(), or avg(), whichever is most appropriate.

A possible alternative is the xyseries command, which converts selected fields into a format suitable for graphing.

 

<<your search to obtain 'myMetric'>>
| eval label="some text"
| xyseries _time label myMetric

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...