I am trying to put multiple lines on a line graph. However, the lines are not showing up. Here is a picture of the panel.
The XML for my dashboard is:
<row> <panel> <chart> <title>Completion Times of Each "Thing"</title> <searchString>host=... source = "..." SP Position="Finished" | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2")) | timechart limit=100 latest(TIME) as Completion_Time by FinishedName</searchString> <earliestTime>$timetoken.earliest$</earliestTime> <latestTime>$timetoken.latest$</latestTime> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">false</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="list.drilldown">full</option> <option name="list.wrap">1</option> <option name="maxLines">5</option> <option name="raw.drilldown">full</option> <option name="table.drilldown">all</option> <option name="table.wrap">1</option> <option name="type">list</option> </chart> </panel> </row>
Can anyone give insight on this problem?
Do you have a field called TIME? In your search you are showing the latest TIME. If you don't have it, it won't show data.
| timechart limit=100 latest(TIME) as Completion_Time by FinishedName
I don't know much about your data but, taking in consideration the eval i believe you meant to use:
Since you have a legend there, you do have multiple series values in the data itself. So what's probably happening here is that you have "nullValueMode" set to "gaps", and all of the numerical values have a null value in the time bucket before, and a null value in the timebucket after. nullValueMode actually causes this confusion quite often.
with chartType set to line and nullValueMode set to "gaps", (and showMarkers left to its default setting of False), the charting will draw lines on the graph only between consecutive values. So if a point in a given series has null values in the time buckets immediately before and immediately after, that point will not get drawn at all. You can stumble across it by mousing around in the chart randomly. Needless to say this is a little confusing, so much so that it should probably be considered an error state.
Anyway, try changing nullValueMode to "connect" or to "zero" and see which one you like best. Alternately you can revisit the search language generating your chart and depending on the search language there's most likely another way to get the data such that you have no empty values, or explicit zeros there install of nulls.
Here's another answers post showing the same problem and same solution.
Incidentally, one somewhat common way this can arise, is if the underlying data (be it summary index data, or just plain old raw data) has an underlying granularity that is courser than the granularity of the search language you're using. For example you might be charting a value that only gets written to the logs every 30 minutes but you're using a timechart command with span=10min. Such a chart, with this combination of nullValueMode etc, would never be able to chart a single point.
Update: Also yes it is crucial that the "TIME" values you're charting are at least vaguely numerical. timechart can be pretty forgiving about noise in there but if TIME doesn't look at all like a number it wont chart anything for latest(TIME)
You can only timechart numbers and since your
TIME field almost certainly has colons and hyphens, Splunk very rightly does not consider this a number so it refuses-to/cannot graph them on the Y-Axis. If you convert
epoch then it will graph but it will be a really strange graph. Click on your graph to
drilldown and the click on the
Statistics tab and you will see your non-number timechart data. That is the problem.