Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stats and chart command output response showing differently for date column

vikas_baranwal
Path Finder
‎02-01-2019 12:16 AM

Hello Splunkers,

I want your help to understand different responses of stats and chart command output. In First output with STATS command, date and time showing correctly in the last column.

index=index1*|.....

| search issueType = "Bug" AND (Status = "In QA" OR Status = "In Dev") AND (priority = P1 OR priority = P2 OR priority= P3) AND (key = "CORE-26985" OR key = "CORE-37789")
| stats min(update) as qaStatusDateMin by key,Status
alt text

But when I use chart command then only year is showing instead of date and time under newly generated columns named "In QA" and "In Dev"

| fillnull value="None" labels
| search issueType = "Bug" AND (Status = "In QA" OR Status = "In Dev") AND (priority = P1 OR priority = P2 OR priority= P3) AND (key = "CORE-26985" OR key = "CORE-37789")
| chart min(update) as qaStatusDateMin by key,Status

alt text

I hope, I have explained my question here in detail. Please help me to understand the logic behind this output response.

Your help will be appreciated!

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

vishaltaneja070
Motivator
‎02-01-2019 12:35 AM

Hello @vikas_baranwal

The difference start comes in pictures when you mention two or more fields in by clause in Splunk.

When you use stats count by a,b , it will created status based on the a & b which is visible easily in your search results.

But when it comes to chart command it doesn't follow the same process. Because you need to create a graph. the command will be identical to chart over a by b
in your case: | chart min(update) as qaStatusDateMin over key by Status

0 Karma
Reply

vikas_baranwal
Path Finder
‎02-01-2019 02:44 AM

Hi Vishal,

Thanks for your reply but still I have not got answer for my question.

With regards,
Vikas baranwal

0 Karma
Reply

vishaltaneja070
Motivator
‎02-01-2019 02:52 AM

@vikas_baranwal

There is No logic behind it. As chart command need three axis for data showing. It will convert the command in different logic , so that the data can be visible better in any visualisation.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...