Hi, I am still fairly new in Splunk as I just started last week. Any help is appreciated!!
This is what i currently have now in my search:
index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application" | eval TIME=strftime(timeStamp_Temperature, "%d-%m-%Y %H:%M:%S") | search TIME!="31-12-9999 23:59:59" | timechart span=1h last(TIME) as TIME by temperature_value | eval threshold = 30
The search produced this (Above) but this isn't what I want.
This is what I want but I require the graph to show the axis time labels (P.s this search is based from using Table but I read in the documentation that it requires timechart to work)
May I know what I did wrong here?
Thanks in advance!
You are massively overcomplicating the situation. Try this (just TRY it, without modifying it):
index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application"
| timechart span=1h avg(temperature_value)
If this doesn't look right, then add this line BEFORE the timechart
line:
| eval _time=timeStamp_Temperature
Also, you might prefer min
or max
to avg
(which is what the error was trying to tell you: you have to have a stats function applied to your field name).
You are massively overcomplicating the situation. Try this (just TRY it, without modifying it):
index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application"
| timechart span=1h avg(temperature_value)
If this doesn't look right, then add this line BEFORE the timechart
line:
| eval _time=timeStamp_Temperature
Also, you might prefer min
or max
to avg
(which is what the error was trying to tell you: you have to have a stats function applied to your field name).
1) Okay, you didn't tell us what you want the graph to tell you, and your code is confusing, so we're a bit in the dark.
2) When using timechart
, the x axis is always based on the value of the field _time. Whatever aggregate function you use determines the Y value, and the BY field
breaks the graph up into multiple series.
3) Do you really want just the last time that each particular temperature_value
occurred? That could be as simple as this...
Your search
| dedup temperature_value
| eval _time=timeStamp_Temperature
| timechart span=1h count by temperature_value
4) On the other hand, if you want to know how many times a particular temperature was hit in each hour, that would be even simpler, like this...
Your search
| eval _time=timeStamp_Temperature
| timechart span=1h count by temperature_value
5) and if you wanted the temperatures grouped into buckets
or bins
, for example 5 degree ranges, then you could do this:
Your search
| eval _time=timeStamp_Temperature
| bin temperature_value span=5
| timechart span=1h count by temperature_value
If none of those are what you are looking for, then please describe what you want the graph to show, and we'll get you sorted out.
Hi DalJeanis,
First of all, thank you for replying to my question!
After looking at points 1 and 2, I realized what I actually needed. I require the graph to just show the temperatures (y axis) vs time (x axis). my index contains a series of temperatures recorded at every 3sec time interval (this is what I want to show)
index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application" | eval TIME=strftime(timeStamp_Temperature, "%d-%m-%Y %H:%M:%S") |
TIME will convert my epoch time to time in "%d-%m-%Y %H:%M:%S" which is the label i need (with reference to ss-wrong.png - first picture's x axis)
Hence, I am not sure how to write the timechart query such that i can get temp vs time graph.
I tried timechart span=1h temperature_value by _time
but it throws an error that I need to add an aggregate function before temperature_value field. Is there any way to not alter the temperature values from the indexed dataset but at the same time use timechart to show time labels on the x-axis?
Thank you!!!