Dashboards & Visualizations

Is there a way to split my chart according to timeline?

chookp
Explorer

Hi

Can I check if there is a way to split my chart according to a time stamp?

This is my code:

DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="RUN" OR VALUE="STOP" OR VALUE="TRIP") | eval TIMEONLY =strptime(CREATEDATETIME ,"%d/%m/%Y %I:%M:%S %p") | eval _time=TIMEONLY
| rex field=VALUE mode=sed "s/TRIP/STOP/g" | rex field=DESCRIPTION mode=sed "s/Trip/Run\/Stop/g" | rex field=ASSET_NAME "^(?<LOCATION>[^/]+)"
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME DESCRIPTION LOCATION
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME DESCRIPTION LOCATION
| stats sum(duration) AS ActiveTime BY LOCATION
| head 10
| sort by -ActiveTime

What this does to get the operating time of all my pumps and sum them up together, but i would like to see the sum of my operating time month by month is there a query which i can use so that they are able to be shown monthly? the first picture is my bar chart, the second picture is what i wish to see , i was thinking of using timechart but i am not sure what is the correct syntax to be use. i had tried using "timechart span=1d count by LOCATION " but no result were found

hope someone understand what i mean and could help me out thanks.Capture.JPGCapture2.JPG

Labels (3)
0 Karma

rnowitzki
Builder

Hi @chookp ,

If I understand your expectation correct, this should give you what you want:

| timechart span=1mon sum(duration) AS ActiveTime BY LOCATION


Hope it works

BR

Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

chookp
Explorer

hi @rnowitzki ,

thanks for the help, the code does work but the exact visualization i want is not expected. my sample data is not enough to do a monthly so i change to daily instead. what i would like to see is there a way to make them side by side , example the X-axis is the LOCATION name and the visualization will show the daily activetime  

Capture2.JPG

can be be coded like something below? and is a a way to limit the time just to see 3 days.Capture3.JPGthanks.

0 Karma

rnowitzki
Builder

Hi @chookp,

I don't really get your drawing.

If you want to look at 3 days, do you want to see first Day1, Day2, Day3 of BDR, then Day1, Day2, Day3 of BCL etc?

BR

Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

chookp
Explorer

yes i would like to see that is there a way to code it?

0 Karma

rnowitzki
Builder

Hi @chookp,

This is going in the direction you want to go to I think:

Set the search timeframe to (e.g.) -3d@d as earliest and @d as latest (under advanced). Or pick the days manually.

Instead of the timechart I provided earlier, put this:

| chart sum(duration) AS ActiveTime BY LOCATION, date_wday

 
Instead of date_wday you could also use date_mday to get the day (number) of the month.

Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

chookp
Explorer

hi @rnowitzki ,

can i check the 

date_wday

is it a field? or is the chart syntax?

 

thanks,

darrick 

0 Karma

rnowitzki
Builder

Hi @chookp ,

It's a field, derrived from the timestamp. date_wday would have values like "monday", tuesday" etc.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Usedefaultfields

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

chookp
Explorer

image.jpg

 i try to do the code but not able to get the daily result. Is there something wrong with my code?

0 Karma

rnowitzki
Builder

Hi @chookp ,

I think it is because you assign something to _time in the line just above the | chart by command. I assume that this removes the default time/date fields like date_wday.

As you don't seem to work with the "new" _time field afterwards, you should be good with just removing (or renaming to something different) that "AS _time" part of the line.

Not related, but in your last line you should remove the "by" in sort by. No "by" needed. And in addition add a zero "0", because by default the sort command is limited to 10.000 events.

| sort 0 - Operation_Time(Mins)


BR
Ralph







--
Karma and/or Solution tagging appreciated.
0 Karma

bachi_kidd
Engager

You can use Trellis visualization so you can split it into several charts (one for each location).

dural_yyz
Builder

I agree with this suggestion.  Going back to your original visual there is no current method to get items grouped the way you suggested.  Using a trellis gives you the bar graph that you want and you can break out individual items into separate graphs all on one dashboard/report sourced from a single search.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...