Splunk Search

How to chart field values by another field _time?

Contributor

Hi,

I am running this query:

index=servers sourcetype=json Name=* Version=* Id=* | dedup _raw |fillnull bdy.ex.Msg value="NullBdyExMsg"|chart count over Name bylevel | eval ratio=((Critical+Error)/Information)

I want a line chart visualization which shows different lines for Name field and _time on X-axis. I tried all the possible options but it doesn't work.

0 Karma
1 Solution

Influencer

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name 

View solution in original post

0 Karma

Influencer

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name 

View solution in original post

0 Karma

Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma