Hi
Can I check if there is a way to split my chart according to a time stamp?
This is my code:
DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="RUN" OR VALUE="STOP" OR VALUE="TRIP") | eval TIMEONLY =strptime(CREATEDATETIME ,"%d/%m/%Y %I:%M:%S %p") | eval _time=TIMEONLY
| rex field=VALUE mode=sed "s/TRIP/STOP/g" | rex field=DESCRIPTION mode=sed "s/Trip/Run\/Stop/g" | rex field=ASSET_NAME "^(?<LOCATION>[^/]+)"
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME DESCRIPTION LOCATION
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME DESCRIPTION LOCATION
| stats sum(duration) AS ActiveTime BY LOCATION
| head 10
| sort by -ActiveTimeWhat this does to get the operating time of all my pumps and sum them up together, but i would like to see the sum of my operating time month by month is there a query which i can use so that they are able to be shown monthly? the first picture is my bar chart, the second picture is what i wish to see , i was thinking of using timechart but i am not sure what is the correct syntax to be use. i had tried using "timechart span=1d count by LOCATION " but no result were found
hope someone understand what i mean and could help me out thanks.
hi @rnowitzki ,
thanks for the help, the code does work but the exact visualization i want is not expected. my sample data is not enough to do a monthly so i change to daily instead. what i would like to see is there a way to make them side by side , example the X-axis is the LOCATION name and the visualization will show the daily activetime
can be be coded like something below? and is a a way to limit the time just to see 3 days.
i try to do the code but not able to get the daily result. Is there something wrong with my code?
