Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create a timechart with Hours, Minutes, seconds on Y axis

aohls
Contributor
‎10-23-2019 08:25 AM

We have jobs running everyday and I want to do a timechart to show the start time of the job for each day. I have data populated if I put it in a stats table but trying to get a timechart is not working. Do I need to adjust the format of the time data in order to use this properly?

What I want is to show the start time over each day to identify delays.

Here is the stats data that works.

rest of search....| stats values(Tier1StartTime) as T1Start, values(Tier2StartTime), values(Tier3StartTime) by Tier1, Tier2, Tier3
0 Karma
Reply

to4kawa
Ultra Champion
‎10-24-2019 06:55 AM 
| stats count
| eval raw="2019/09/01,2019/10/01"
| makemv delim="," raw
| mvexpand raw
| eval raw=strptime(raw,"%Y/%m/%d")
| makecontinuous span=1d raw
| eval _time=raw
| eval time_args1="+".(random() % (60*24) +1)."m"
| eval time_args2="+".(random() % (60*24) +1)."m"
| eval time_args3="+".(random() % (60*24) +1)."m"
| eval tier1=relative_time(raw,time_args1)
| eval tier2=relative_time(raw,time_args2)
| eval tier3=relative_time(raw,time_args3)
| fieldformat tier1 = strftime(tier1,"%H:%M")
| fieldformat tier2 = strftime(tier2,"%H:%M")
| fieldformat tier3 = strftime(tier3,"%H:%M")
| table _time,tier*
`comment("this is sample data")`

Hi, this is sample data.

_time   tier1   tier2   tier3
2019/09/01  00:52   07:20   16:01
2019/09/02  16:36   15:07   16:55
2019/09/03  14:35   13:02   22:40
2019/09/04  21:04   18:29   18:00
2019/09/05  10:30   16:44   18:17
2019/09/06  12:02   22:08   10:39

Since the Y-axis of the line chart is only numbers, it cannot be displayed as it is.

So, in summary, what about queries like this?

| stats count
| eval raw="2019/10/01,2019/10/14"
| makemv delim="," raw
| mvexpand raw
| eval raw=strptime(raw,"%Y/%m/%d")
| makecontinuous span=1d raw
| eval _time=raw
| eval time_args1="+".(random() % (60*12) +1)."m"
| eval time_args2="+".(random() % (60*12) +1)."m"
| eval time_args3="+".(random() % (60*12) +1)."m"
| eval tier1=relative_time(raw,time_args1)
| eval tier2=relative_time(raw,time_args2)
| eval tier3=relative_time(raw,time_args3)
| table _time,tier*
`comment("this is sample data")`
| foreach tier* 
    [ eval <<FIELD>> = round ((<<FIELD>> - _time) / 3600 ,1)]

chart

0 Karma
Reply

Anantha123
Communicator
‎10-23-2019 08:32 AM

try chart command .

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...