Dashboards & Visualizations

timechart not giving expected result

pench2k19
Explorer

hey guys,

i m planning to draw a trend using timechart command , for some reason the timechart command showing no results but when i used stats or chart command its functioning correct.

following is the query i m using, can any one help me to get the correct query

| inputlookup SLA.csv | rex field=SOR_TDQ_FAIL_SLA_THRESHOLD "(?P.)\,(?.)" | eval sla_time = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time)) | eval sla_time=replace (sla_time,","," ") | eval sla_time=sla_time + ":00" | table SOR_NAME FEED_NAME sla_time | dedup SOR_NAME FEED_NAME | join type=outer SOR_NAME FEED_NAME [search index=xxx source=xxx earliest_time=@d |rex "info\s:\s+{4}\sSTARTED\s+{4}\sJob run_ingest_(?\w+)(?\d+-\d+-\d+-\d+-\d+-\d+)"|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$" | eval FILE_ARRIVALTIME = strftime(strptime(start_time,"%Y-%m-%d-%H-%M-%S") ,"%Y-%m-%d %H:%M:%S") | eval FILE_ARRIVALTIME_epoch=strptime(FILE_ARRIVALTIME,"%Y-%m-%d %H:%M:%S") |fields SOR_NAME FEED_NAME FILE_ARRIVALTIME FILE_ARRIVALTIME_epoch] | eval now_time=strftime(now(), "%Y-%m-%d %H:%M:%S") | eval now_time_epoch = strptime(now_time,"%Y-%m-%d %H:%M:%S") | eval sla_time_epoch = strptime(sla_time,"%Y-%m-%d %H:%M:%S") | eval time_diff_epoch =sla_time_epoch-FILE_ARRIVALTIME_epoch | fillnull value="0" FILE_ARRIVALTIME_epoch| where FILE_ARRIVALTIME_epoch!=0 |table SOR_NAME FEED_NAME sla_time_epoch FILE_ARRIVALTIME_epoch time_diff_epoch | eval sla_status=case(time_diff_epoch >= 0 , "Completed", time_diff_epoch <= 0 , "Missed SLA",1 = 1, "RISK") |timechart count(FEED_NAME) by sla_status

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

You need to be sure the _time field exists prior to the timechart command and is in epoch format.

I do not see a _time field in your fields and table commands.

0 Karma

pench2k19
Explorer

i have added _time at table and fields command in my query @jkat54 ...but no result

0 Karma

jkat54
SplunkTrust
SplunkTrust

You need a _time field that is a time in epoch. You don’t have one because your lookup doesn’t have one.

So you have to create one:

| eval _time=strptime(start_time,...
0 Karma

vnravikumar
Champion

Hi @pench2k19

Try by adding _time in table

your query..... |table SOR_NAME FEED_NAME sla_time_epoch FILE_ARRIVALTIME_epoch time_diff_epoch _time| eval sla_status=case(time_diff_epoch >= 0 , "Completed", time_diff_epoch <= 0 , "Missed SLA",1 = 1, "RISK") |timechart count(FEED_NAME) by sla_status
0 Karma

pench2k19
Explorer

no luck @vnravikumar ...i have laready tried that way...

0 Karma

vnravikumar
Champion

Can you please add in these places too and try

| table SOR_NAME FEED_NAME sla_time

|fields SOR_NAME FEED_NAME FILE_ARRIVALTIME FILE_ARRIVALTIME_epoch
0 Karma

pench2k19
Explorer

No results

0 Karma

pench2k19
Explorer

@vnravikumar @jkat54

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...