Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with Timechart command

alexspunkshell
Contributor
‎09-29-2022 09:29 AM

I have an SPL which gives a result. I want to get a trend of the result. 

So I tried using timechart command, but it is not working. 

 

Query

| tstats `summariesonly` earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join rule_id [| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id] | eval ttt=review_time-_time | stats avg(ttt) as avg_ttt | sort - avg_ttt | `uptime2string(avg_ttt, avg_ttt)` | rename *_ttt* as *(Time_To_Triage)* | fields - *_dec |table avg(Time_To_Triage) |rename avg(Time_To_Triage) as "Mean/Average Time To Respond"

 

alexspunkshell_0-1664468944627.png

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-30-2022 06:22 PM

If you want to use timechart, your _time cannot be a single value such as earliest(_time) will give. (Besides, min(_time) is more efficient than earliest(_time).)  With tstats, you need to chop off _time the same way you want timechart to chop off time into intervals.  Say, you want to have 5-minute intervals,

| tstats `summariesonly` from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id _time span=5m
| `drop_dm_object_name("Notable_Events_Meta")`
| `get_correlations`
| join rule_id 
    [| from inputlookup:incident_review_lookup
    | eval _time=time
    | stats earliest(_time) as review_time by rule_id]
| eval ttt=review_time-_time
| timechart span=5m avg(ttt) as avg_ttt
| sort - avg_ttt
| `uptime2string(avg_ttt, avg_ttt)`
| rename *_ttt* as *(Time_To_Triage)*
| fields - *_dec
| table avg(Time_To_Triage)
| rename avg(Time_To_Triage) as "Mean/Average Time To Respond"
0 Karma
Reply

andrew_nelson
Communicator
‎09-29-2022 09:52 AM

timechart requires the _time field being in the dataset sent to it. 

That field doesn't exist once you do :

| stats avg(ttt) as avg_ttt

 

You also cant chart a string value. Your `uptime2String()` macro means you no longer have a value that can be compared in a chart. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...