Solved: Re: chart with two lines

hunyady · ‎09-15-2015

Hallo,
I will make a chart with two lines. I have a query : select a,b,eventtime from t. Eventtime is the datum and time in a char field :"2015-09-11 03:00", for all 15 Minutes there is one record. I will show the values 'a' and 'b' for the last 7 days (i.ex). How can I make it ?
thank you

woodcock · ‎09-15-2015

Maybe like this (set timepicker for Last 7 days😞

... | timechart span=15m avg(a) AS a avg(b) AS b

View solution in original post

Amohlmann · ‎09-16-2015

Would something like this work for you:

basesearch|earliest=-7d| timechart values(A) as A, values(B) as B

The only thing to note is that it will not like it if you have multivalues.
If this still does not provide anything, do a quick

stats values(a) as, values(b) as b by _time

just to see whats going on which might help you out. Could it be that it does not realize that EVENTTIME is the timestamp?
if you do not want to worry about configuring that could you just do something like this as a work around:

basesearch|| stats values(A) as A, values(B) as B by EVENTTIME

woodcock · ‎09-15-2015

Maybe like this (set timepicker for Last 7 days😞

... | timechart span=15m avg(a) AS a avg(b) AS b

hunyady · ‎09-16-2015

Hi, new problem.
Have records from 11-Sept until now. In our Oracle-Database I have all records, 4 records pro hour: eventtime for all 15 Min.
In Splunk missing for ALL DAY the events between 12:00 - 12:45, We have events until 11:45 and after 13:00.
Can you have an idee, why ?
Field "Eventtime" is always generated with sql: to_char(eventtime,"yyyy-mm-dd hh24:mi:ss")
Have only tried the index new to generate (deleted, new created). All records new loaded. Missing 12:00-12:45.
Thank you

woodcock · ‎09-16-2015

I do not understand (your language is hard to follow). You should probably create a new question and start over and try to spell out ALL of the details.

hunyady · ‎09-15-2015

yes, now I have more lines with timestamp of 15 min, but both 'a' and 'b' are empty. Have tried 'avg', 'max'. Result is the same. Empty result by values.

woodcock · ‎09-15-2015

Show us one of your raw events.

hunyady · ‎09-15-2015

15.09.15 08:30:00,000

"2015-09-15 08:30:00" A=3399, B=5025, EVENTTIME="2015-09-15 08:30:00"

EVENTTIME = 2015-09-15 08:30:00
A = 3399
B = 5025
host = myhost
source = My_Logs
sourcetype = mylogs

I have 940 rows ...

woodcock · ‎09-16-2015

I see the problem; field names are case-sensitive! This will work:

... | timechart span=15m avg(A) AS A avg(B) AS B

hunyady · ‎09-16-2015

Thank you very much !!!
It was the problem ...

chart with two lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation