Hi,
I'm having a bit of trouble with this query of mine.
source="xxx" host="xxx" index="xxx" sourcetype="xxx" earliest=-1d@d latest=-0d@d | eval ReportKey="Yesterday"|timechart span= 1m avg("CPU") by ReportKey
This is the error I'm getting:
"Error in 'timechart' command: The specifier '1m' is invalid. It must be in form (). For example: max(size)."
Your exmaple search seems ok. Just remove space, like.. span= 1m
to span=1m
source="xxx.log" host="xxxl" index="xxx" sourcetype="xxx" earliest=$source_tok$ latest=$End_Date$ | eval ReportKey="Yesterday" |timechart span=1m avg("CPU") by ReportKey
try removing the space from your timechart command?
..| timechart span=1m avg(CPU) by ReportKey
Unfortunately it's not working. Im getting this error message now: The specifier '1m' is invalid. It must be in form (). For example: max(size)
can you post your updated search?
yep, It's:
source="xxx.log" host="xxxl" index="xxx" sourcetype="xxx" earliest=$source_tok$ latest=$End_Date$ | eval ReportKey="Yesterday" |timechart span=avg("CPU") by ReportKey
I closed the space between the timespace and the pipe
I should add, the message I''m getting now is:
Error in 'timechart' command: You must specify data field(s) to chart.
yeah, still got typos there.
| timechart span=1m avg("CPU") by ReportKey
Or you can leave span out and let Splunk automagically do it | timechart avg("CPU") by ReportKey
definitely check out the docs link below for syntax and examples!
@mahbs, as @mmodestino has pointed out timechart should have span=1m
not span=avg("CPU")
, please try out the following query:
source="xxx.log" host="xxxl" index="xxx" sourcetype="xxx" earliest=$source_tok$ latest=$End_Date$ | eval ReportKey="Yesterday" |timechart span=1m avg("CPU") by ReportKey
Refer to Splunk documentation and try and understand how timechart
command works: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart