Splunk Search

How do I make a line graph with my timechart search?

alanxu
Communicator

alt text

This is a table I created using the timechart command. Now, I am trying to make a line graph with this information with date on the x-axis and completion time for the y-axis. If I am able to solve that, I would love to add extra lines to the line graph.

<searchString>host=... source = ... Position="Finished" AND Report  | timechart latest(TIME) as Completion_Time</searchString>
<earliestTime>-168h</earliestTime>
<latestTime>$timetoken.latest$</latestTime>

This is inside my dashboard atm. I have a drop down for time at the top.

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The Completion_Time field is string value and as far as I know, strings can't be plotted in Y-axis (you need numerical values). Workaround, you can convert your Completion_Time to decimal number like HH.MM and plot them.

View solution in original post

alanxu
Communicator

That is what I have right now... So I want to add a second line which also has SOMESTRINGTOLOOKFOR and get the exact same data.. The completion_Time

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So your just want another line with same name as SOMESTRINGTOLOOKFOR and have same values as Completion_Time?

alanxu
Communicator

It will be a different string i would be looking for.. but yeah looking for completion time too.. When I was looking online they use a comma in time chart but im not sure how I could make it work

0 Karma

alanxu
Communicator

So I would want the exact same thing but the SOMESTRINGTOLOOKFOR has an unique completion time. So it would be nice to have both.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you want to keep your current results and add Completion_Time as another row for SOMESTRINGLOOKFOR, then try something like this

 host=.. source =.. | eval NewTIME=if(match(_raw,".*SOMESTRINGTOLOOKFOR.*"),TIME,null())   | timechart latest(*TIME) as *Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2")) | eval NewCompletion_Time=tonumber(replace(NewCompletion_Time,"(\d+):(\d+):(\d+)","\1.\2"))

alanxu
Communicator

Ill try it out now. Wow I didnt know you would need to add taht much

0 Karma

alanxu
Communicator

OH! I see.. What was the command again? str..() lol.

0 Karma

somesoni2
SplunkTrust
SplunkTrust
| eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))

alanxu
Communicator

Whats the 1 and 2 for?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In replace, I'm clubbing your data in 3 parts (values inside the brackets), and replacing 3 parts named 1,2,3 from current format of 1:2:3 to 1.2

alanxu
Communicator

Would you know how to add a second line?

host=.. source =.. SOMESTRINGTOLOOKFOR   | timechart latest(TIME) as Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...