Hi
Can I check if there is a way to split my chart according to a time stamp?
This is my code:
DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="RUN" OR VALUE="STOP" OR VALUE="TRIP") | eval TIMEONLY =strptime(CREATEDATETIME ,"%d/%m/%Y %I:%M:%S %p") | eval _time=TIMEONLY
| rex field=VALUE mode=sed "s/TRIP/STOP/g" | rex field=DESCRIPTION mode=sed "s/Trip/Run\/Stop/g" | rex field=ASSET_NAME "^(?<LOCATION>[^/]+)"
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME DESCRIPTION LOCATION
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME DESCRIPTION LOCATION
| stats sum(duration) AS ActiveTime BY LOCATION
| head 10
| sort by -ActiveTimeWhat this does to get the operating time of all my pumps and sum them up together, but i would like to see the sum of my operating time month by month is there a query which i can use so that they are able to be shown monthly? the first picture is my bar chart, the second picture is what i wish to see , i was thinking of using timechart but i am not sure what is the correct syntax to be use. i had tried using "timechart span=1d count by LOCATION " but no result were found
hope someone understand what i mean and could help me out thanks.
Hi @chookp ,
If I understand your expectation correct, this should give you what you want:
| timechart span=1mon sum(duration) AS ActiveTime BY LOCATION
Hope it works
BR
Ralph
hi @rnowitzki ,
thanks for the help, the code does work but the exact visualization i want is not expected. my sample data is not enough to do a monthly so i change to daily instead. what i would like to see is there a way to make them side by side , example the X-axis is the LOCATION name and the visualization will show the daily activetime
can be be coded like something below? and is a a way to limit the time just to see 3 days.thanks.
Hi @chookp,
I don't really get your drawing.
If you want to look at 3 days, do you want to see first Day1, Day2, Day3 of BDR, then Day1, Day2, Day3 of BCL etc?
BR
Ralph
yes i would like to see that is there a way to code it?
Hi @chookp,
This is going in the direction you want to go to I think:
Set the search timeframe to (e.g.) -3d@d as earliest and @d as latest (under advanced). Or pick the days manually.
Instead of the timechart I provided earlier, put this:
| chart sum(duration) AS ActiveTime BY LOCATION, date_wday 
Instead of date_wday you could also use date_mday to get the day (number) of the month.
Hope it helps.
BR
Ralph
Hi @chookp ,
It's a field, derrived from the timestamp. date_wday would have values like "monday", tuesday" etc.
https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Usedefaultfields
BR
Ralph
i try to do the code but not able to get the daily result. Is there something wrong with my code?
Hi @chookp ,
I think it is because you assign something to _time in the line just above the | chart by command. I assume that this removes the default time/date fields like date_wday.
As you don't seem to work with the "new" _time field afterwards, you should be good with just removing (or renaming to something different) that "AS _time" part of the line.
Not related, but in your last line you should remove the "by" in sort by. No "by" needed. And in addition add a zero "0", because by default the sort command is limited to 10.000 events.
| sort 0 - Operation_Time(Mins)
BR
Ralph
You can use Trellis visualization so you can split it into several charts (one for each location).
I agree with this suggestion. Going back to your original visual there is no current method to get items grouped the way you suggested. Using a trellis gives you the bar graph that you want and you can break out individual items into separate graphs all on one dashboard/report sourced from a single search.
