Hi Guys,
I need your help.
I have this structured log:
SERVICE,ENDTIME,DATA,TIME
JobName,10/12/2018 07:14,10/12/2018,07:14
JobName,12/12/2018 07:14,12/12/2018,07:14
JobName,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11
I need to create this graph where there is Time (Hour) in Y-axis and Date (Days) in X-axis:
Which is the correct way?
Thanks in advance for the help.
As far as I am aware, you can't make the Y axis in Splunk be non-numeric. It will split the values into different lines for each timestamp you have there instead of a single line.
Documentation: https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/LineAreaCharts#Data_formatting
| makeresults count=1
| eval data="Job_Name,10/12/2018 07:14,10/12/2018,07:14
Job_Name,12/12/2018 07:14,12/12/2018,07:14
Job_Name,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11"
| fields - _time
| rex field=data max_match=0 "(?<data>[^\n\e]+)"
| eval data=trim(data)
| mvexpand data
| rex field=data "(?<SERVICE>[^\,]+),(?<END_TIME>[^\,]+),(?<DATA>[^\,]+),(?<TIME>[^\e]+)"
| eval DATA=strftime(strptime(DATA, "%d/%m/%Y"), "%d-%b-%y")
| eval TIME=strftime(strptime(TIME, "%H:%M"), "%H:%M:%S")
| eval count=1
| xyseries DATA TIME count
A timechart would probably be more beneficial, but it won't have that timestamped Y axis and you would need to hover over the visualization to see the minute:
| makeresults count=1
| eval data="Job_Name,10/12/2018 07:14,10/12/2018,07:14
Job_Name,12/12/2018 07:14,12/12/2018,07:14
Job_Name,13/12/2018 09:04,13/12/2018,09:04
Job_Name,14/12/2018 11:11,14/12/2018,11:11"
| fields - _time
| rex field=data max_match=0 "(?<data>[^\n\e]+)"
| eval data=trim(data)
| mvexpand data
| rex field=data "(?<SERVICE>[^\,]+),(?<END_TIME>[^\,]+),(?<DATA>[^\,]+),(?<TIME>[^\e]+)"
| eval _time=strptime(DATA.TIME, "%d/%m/%Y%H:%M")
| timechart span=1m count
| search count>0
