Solved: Y-Axis Based on Field Values

PaintItParker · ‎04-19-2021

I have a field, SecondsSpentExecuting. A logged event will have that field. I want to visualize my data with a line chart, so the x-axis is _time, and the y-axis is SecondsSpentExecuting, so for a given event, at a given time on the x-axis, you see on the y-axis visually how long it took compared to other events in that line chart.

The current command I am using is:

timechart count by SecondsSpentExecuting

But in this case, the y-axis is the quantity of events that spent x seconds executing, so it does not work for my purposes.

How could I write a command which considers the actual value of the SecondsSpentExecuting field rather than charting by quantity of events?

ITWhisperer · ‎04-19-2021

| gentimes start=-1 increment=10m 
| eval SecondsSpentExecuting=random() % 50
| rename starttime as _time 
| fields - endhuman endtime starthuman


| table _time SecondsSpentExecuting

View solution in original post

ITWhisperer · ‎04-19-2021

| gentimes start=-1 increment=10m 
| eval SecondsSpentExecuting=random() % 50
| rename starttime as _time 
| fields - endhuman endtime starthuman


| table _time SecondsSpentExecuting

Y-Axis Based on Field Values

chart

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation