Solved: how can i timechart with a _time multivalue ?

amir_bnp · ‎04-07-2021

Hi all,

I want to timechart the ouput of my stat command. I know that the _time field must be in the stats command when i add _time in the stats command, _time appears like a multivalue field so how can i timechart with this field ?

index="X" sourcetype="Y" | stats values(A) AS NOM  values(eval(round(B/60))) AS duration distinct_count(C) as cparticipant values(_time) as time by call_id | where duration >=2 and cparticipant>1 | join NOM [| inputlookup  D]

here the field _time

Thx

richgalloway · ‎04-07-2021

timechart expects the _time field to be single-valued. Similarly, the stats functions timechart supports all expect a single-value argument.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-07-2021

timechart expects the _time field to be single-valued. Similarly, the stats functions timechart supports all expect a single-value argument.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎04-07-2021

Rather than values(_time), try min(_time) or max(_time) to use the oldest or newest timestamp, respectively.

That may be only the first of your problems as I suspect timechart will have difficulty displaying multi-value fields.

---
If this reply helps you, Karma would be appreciated.

amir_bnp · ‎04-07-2021

I used the eventstats command and it works! But the command takes a long time to execute whereas with stats it is done almost immediately.

so its possible to timechart with mv field _time ?

how can i timechart with a _time multivalue ?

using Splunk Enterprise

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)