Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a line chart without timestamp field?

mik990
Engager
‎08-27-2019 06:33 AM

Hi,
I have to compare a search and a List.csv, so I did the following search and all works well:

alt text

The problem is that I have to create a line chart about this count, but I cannot use the timechart as usual because in the result the timestamp field is not valorized.
Does anybody know if it is possible (and eventually how) to use the _time value to find out a solution?

Hoping to have been clear enough, I thank you in advance.

Regards.

Preview file
22 KB
0 Karma
Reply

solarboyz1
Builder
‎08-28-2019 10:36 AM

If the time value of the events in the serverlist index are correct, then try this:

index=serverlist | eval from_base=1
|  append 
    [ 
    | inputlookup testhost.csv | eval _time=now() 
    |  eval from_base=0  ]
| timechart span=1h sum(from_base) as from_base by host
| fillnull value=0
| untable _time host from_base 
| where from_base=0
0 Karma
Reply

Sukisen1981
Champion
‎08-27-2019 11:46 AM

not very clear. I can see that you choose not to include _time in the stats, is it because there is no such field in the csv?
if so, then how do you want your chart to look, what should be the x-axis?

0 Karma
Reply

mik990
Engager
‎08-28-2019 12:30 AM

Hi Sukisen and thank you for the response, the csv file is only a list of Server that i must verify are sending logs, so basically the result that i have is a list without the timestamp. I would like that the X axis contains the time of the search, for example if I do a search every 2h i need a line chart with every search value.
I hope this makes it clearer.

Thanks

0 Karma
Reply

Sukisen1981
Champion
‎08-28-2019 01:04 AM

hi @mik990
say at 8 am you run this and get a count of 3
at 12 pm you run this get a count of 5
how do you want your chart, a line chart with 2 points 3 and 5 in the y axis and 8AM and 12PM in the x axis?

0 Karma
Reply

mik990
Engager
‎08-28-2019 01:27 AM

Hi @Sukisen1981 you get the point! I need a chart that show the result of the query every "x" time, likely the timechart function.

Thank you

0 Karma
Reply

Sukisen1981
Champion
‎08-28-2019 01:32 AM

but how do you propose to get the times, 8AM and 12 PM?
Its not part of your lookup csv, is it being captured somewhere in the index?
When you run the search at 12PM how will you know what the count WAS at 8AM?
Is it possible that your serverlist index has some timestamps?

0 Karma
Reply

mik990
Engager
‎08-28-2019 03:03 AM

I would like to use the time of the search itself, in fact the time that interests me is the time in the moment of the search.
Can't I make sure I get the query results at different times in the line chart?
The servelist file does not have a timestamp because it simply represents the list of servers that I should find in case everything works, in fact the goal of the check is to always have as a result 0 (no server missing)

0 Karma
Reply

Sukisen1981
Champion
‎08-28-2019 03:07 AM

i think you need to provide a mock screen snap of what you need.
' in fact the time that interests me is the time in the moment of the search.'
I am sure I am getting this wrong, but then you will have 1 single dot with the count value at 12 PM, what kind of line do you need? can you explain more?

0 Karma
Reply

mik990
Engager
‎08-28-2019 03:34 AM

Sure @Sukisen1981 , i need a line chart like this one:

Line-Chart-Example

I uses the query "index=serverlist | dedup hostname | timechart span=30d count", in this case i need to find the total amount of sending servers and it works.

I need to do the same thing with the list of "non-sending" servers, so i have to a line that rapresent the number of missing server during a period, for example if i do a search from 9:00 to 10:00 i have 3 missing servers, from 12:00 to 13:00 5, and so on. I need a line that rapresent this trend.
I hope is clear now, sorry if i can't explain myself correctly and thanks for your time.

Regards.

0 Karma
Reply

Sukisen1981
Champion
‎08-28-2019 04:45 AM

possible to share your snap from imgur or something or just edit your question with the image? it is not visible here

0 Karma
Reply

mik990
Engager
‎08-28-2019 05:14 AM

Sure, try with this link please https://imgur.com/sWIXvmG

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...