Hallo,
I will make a chart with two lines. I have a query : select a,b,eventtime from t. Eventtime is the datum and time in a char field :"2015-09-11 03:00", for all 15 Minutes there is one record. I will show the values 'a' and 'b' for the last 7 days (i.ex). How can I make it ?
thank you
Maybe like this (set timepicker
for Last 7 days
😞
... | timechart span=15m avg(a) AS a avg(b) AS b
Would something like this work for you:
basesearch|earliest=-7d| timechart values(A) as A, values(B) as B
The only thing to note is that it will not like it if you have multivalues.
If this still does not provide anything, do a quick
stats values(a) as, values(b) as b by _time
just to see whats going on which might help you out. Could it be that it does not realize that EVENTTIME is the timestamp?
if you do not want to worry about configuring that could you just do something like this as a work around:
basesearch|| stats values(A) as A, values(B) as B by EVENTTIME
Maybe like this (set timepicker
for Last 7 days
😞
... | timechart span=15m avg(a) AS a avg(b) AS b
Hi, new problem.
Have records from 11-Sept until now. In our Oracle-Database I have all records, 4 records pro hour: eventtime for all 15 Min.
In Splunk missing for ALL DAY the events between 12:00 - 12:45, We have events until 11:45 and after 13:00.
Can you have an idee, why ?
Field "Eventtime" is always generated with sql: to_char(eventtime,"yyyy-mm-dd hh24:mi:ss")
Have only tried the index new to generate (deleted, new created). All records new loaded. Missing 12:00-12:45.
Thank you
I do not understand (your language is hard to follow). You should probably create a new question and start over and try to spell out ALL of the details.
yes, now I have more lines with timestamp of 15 min, but both 'a' and 'b' are empty. Have tried 'avg', 'max'. Result is the same. Empty result by values.
Show us one of your raw events.
15.09.15 08:30:00,000
"2015-09-15 08:30:00" A=3399, B=5025, EVENTTIME="2015-09-15 08:30:00"
EVENTTIME = 2015-09-15 08:30:00
A = 3399
B = 5025
host = myhost
source = My_Logs
sourcetype = mylogs
I have 940 rows ...
I see the problem; field names are case-sensitive! This will work:
... | timechart span=15m avg(A) AS A avg(B) AS B
Thank you very much !!!
It was the problem ...