Solved: How to chart field values by another field _time?

macadminrohit · ‎03-12-2018

Hi,

I am running this query:

index=servers sourcetype=json Name=* Version=* Id=* | dedup _raw |fillnull bdy.ex.Msg value="NullBdyExMsg"|chart count over Name bylevel | eval ratio=((Critical+Error)/Information)

I want a line chart visualization which shows different lines for Name field and _time on X-axis. I tried all the possible options but it doesn't work.

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

View solution in original post

tiagofbmm · ‎03-12-2018

Hi

Name field and _time on X-axis, Try this:

index=servers sourcetype=json Name= Version= Id=* 
| dedup _raw 
|fillnull bdy.ex.Msg value="NullBdyExMsg"
| bucket _time
|chart count over _time by Name

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

How to chart field values by another field _time?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

How to chart field values by another field _time?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events