Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how can i timechart with a _time multivalue ?

amir_bnp
Explorer
‎04-07-2021 07:06 AM

Hi all,

 

I want to timechart the ouput of my stat command. I know that the _time field must be in the stats command when i add _time in the stats command, _time appears like a multivalue field so how can i timechart with this field ?

index="X" sourcetype="Y" | stats values(A) AS NOM  values(eval(round(B/60))) AS duration distinct_count(C) as cparticipant values(_time) as time by call_id | where duration >=2 and cparticipant>1 | join NOM [| inputlookup  D]

 

sample _time.png 

here the field _time

 

Thx

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2021 05:31 PM

timechart expects the _time field to be single-valued.  Similarly, the stats functions timechart  supports all expect a single-value argument.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2021 05:31 PM

timechart expects the _time field to be single-valued.  Similarly, the stats functions timechart  supports all expect a single-value argument.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2021 07:17 AM

Rather than values(_time), try min(_time) or max(_time) to use the oldest or newest timestamp, respectively.

That may be only the first of your problems as I suspect timechart will have difficulty displaying multi-value fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

amir_bnp
Explorer
‎04-07-2021 08:07 AM

I used the eventstats command and it works! But the command takes a long time to execute whereas with stats it is done almost immediately.

 

so its possible to timechart with mv field _time ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...