Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with Timechart command

alexspunkshell
Contributor
‎09-29-2022 09:29 AM

I have an SPL which gives a result. I want to get a trend of the result. 

So I tried using timechart command, but it is not working. 

 

Query

| tstats `summariesonly` earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join rule_id [| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id] | eval ttt=review_time-_time | stats avg(ttt) as avg_ttt | sort - avg_ttt | `uptime2string(avg_ttt, avg_ttt)` | rename *_ttt* as *(Time_To_Triage)* | fields - *_dec |table avg(Time_To_Triage) |rename avg(Time_To_Triage) as "Mean/Average Time To Respond"

 

alexspunkshell_0-1664468944627.png

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-30-2022 06:22 PM

If you want to use timechart, your _time cannot be a single value such as earliest(_time) will give. (Besides, min(_time) is more efficient than earliest(_time).)  With tstats, you need to chop off _time the same way you want timechart to chop off time into intervals.  Say, you want to have 5-minute intervals,

| tstats `summariesonly` from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id _time span=5m
| `drop_dm_object_name("Notable_Events_Meta")`
| `get_correlations`
| join rule_id 
    [| from inputlookup:incident_review_lookup
    | eval _time=time
    | stats earliest(_time) as review_time by rule_id]
| eval ttt=review_time-_time
| timechart span=5m avg(ttt) as avg_ttt
| sort - avg_ttt
| `uptime2string(avg_ttt, avg_ttt)`
| rename *_ttt* as *(Time_To_Triage)*
| fields - *_dec
| table avg(Time_To_Triage)
| rename avg(Time_To_Triage) as "Mean/Average Time To Respond"
0 Karma
Reply

andrew_nelson
Communicator
‎09-29-2022 09:52 AM

timechart requires the _time field being in the dataset sent to it. 

That field doesn't exist once you do :

| stats avg(ttt) as avg_ttt

 

You also cant chart a string value. Your `uptime2String()` macro means you no longer have a value that can be compared in a chart. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...