Solved: How to chart field values by another field _time?

macadminrohit · ‎03-12-2018

Hi,

I am running this query:

index=servers sourcetype=json Name=* Version=* Id=* | dedup _raw |fillnull bdy.ex.Msg value="NullBdyExMsg"|chart count over Name bylevel | eval ratio=((Critical+Error)/Information)

I want a line chart visualization which shows different lines for Name field and _time on X-axis. I tried all the possible options but it doesn't work.

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

View solution in original post

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

How to chart field values by another field _time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation