Solved: How do I make a line graph with my timechart searc... - Page 2

alanxu · ‎08-27-2015

This is a table I created using the timechart command. Now, I am trying to make a line graph with this information with date on the x-axis and completion time for the y-axis. If I am able to solve that, I would love to add extra lines to the line graph.

<searchString>host=... source = ... Position="Finished" AND Report  | timechart latest(TIME) as Completion_Time</searchString>
<earliestTime>-168h</earliestTime>
<latestTime>$timetoken.latest$</latestTime>

This is inside my dashboard atm. I have a drop down for time at the top.

somesoni2 · ‎08-27-2015

The Completion_Time field is string value and as far as I know, strings can't be plotted in Y-axis (you need numerical values). Workaround, you can convert your Completion_Time to decimal number like HH.MM and plot them.

View solution in original post

alanxu · ‎08-27-2015

That is what I have right now... So I want to add a second line which also has SOMESTRINGTOLOOKFOR and get the exact same data.. The completion_Time

somesoni2 · ‎08-27-2015

So your just want another line with same name as SOMESTRINGTOLOOKFOR and have same values as Completion_Time?

alanxu · ‎08-27-2015

It will be a different string i would be looking for.. but yeah looking for completion time too.. When I was looking online they use a comma in time chart but im not sure how I could make it work

alanxu · ‎08-27-2015

So I would want the exact same thing but the SOMESTRINGTOLOOKFOR has an unique completion time. So it would be nice to have both.

somesoni2 · ‎08-27-2015

If you want to keep your current results and add Completion_Time as another row for SOMESTRINGLOOKFOR, then try something like this

 host=.. source =.. | eval NewTIME=if(match(_raw,".*SOMESTRINGTOLOOKFOR.*"),TIME,null())   | timechart latest(*TIME) as *Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2")) | eval NewCompletion_Time=tonumber(replace(NewCompletion_Time,"(\d+):(\d+):(\d+)","\1.\2"))

alanxu · ‎08-28-2015

Ill try it out now. Wow I didnt know you would need to add taht much

alanxu · ‎08-27-2015

OH! I see.. What was the command again? str..() lol.

somesoni2 · ‎08-27-2015

| eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))

alanxu · ‎08-27-2015

Whats the 1 and 2 for?

somesoni2 · ‎08-27-2015

In replace, I'm clubbing your data in 3 parts (values inside the brackets), and replacing 3 parts named 1,2,3 from current format of 1:2:3 to 1.2

alanxu · ‎08-27-2015

Would you know how to add a second line?

host=.. source =.. SOMESTRINGTOLOOKFOR   | timechart latest(TIME) as Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))

How do I make a line graph with my timechart search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms