Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to chart values over time

theouhuios
Motivator
‎08-27-2015 07:14 AM

Hello

What I am trying to do is to literally chart the values over time. Now the value can be anything. It can be a string too. My goal here is to just show what values occurred over that time

Eg Data:
alt text

I need to be able to show in a graph that these job_id's were being executed at that point of time. Is it possible? Do I need to use some advance charting mechanism to show this?

Tags (2)
Preview file
1 KB
Reply

woodcock
Esteemed Legend
‎08-27-2015 04:20 PM

This should do it:

... | timechart span=1h count by job_id
0 Karma
Reply

mporath_splunk
Splunk Employee
Splunk Employee
‎08-27-2015 10:56 AM

Unfortunately there's no out-of-the-box way to do that (yet). Using a hack gets you pretty close: You could do 

... | timechart values(linecount) by job_id span=1m

Given fine enough resolution for span, this sets the value for each job_id to 1. You can then do a line chart, like so:
alt text

Preview file
1 KB
Reply

somesoni2
Revered Legend
‎08-27-2015 09:32 AM

If you just want to plot a point to denote that a particular job ID was run, try something like this

your current search giving above table | mvexpand job_id | eval value=1 | table _time job_id value

This will plot a value of 1 for all job_id (select column chart).

*Updated answer *

 your current search giving above table | mvexpand job_id | eval value=1 | chart values(value) over _time by job_id limit=0
Reply

theouhuios
Motivator
‎08-27-2015 10:39 AM

Well yes, thats the plan. But I still need to show which job_id was running then.

0 Karma
Reply

somesoni2
Revered Legend
‎08-27-2015 11:00 AM

Give updated answer a try

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2015 10:00 AM

Thanks for the correction.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2015 07:53 AM

Have you tried appending a timechart command to your search?

... | timechart values(job_id)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

theouhuios
Motivator
‎08-27-2015 07:58 AM

I did. I think the problem is its not a straight number . As you see in the image above, it has a _ in between the two numbers. May be because of that it doesn't know how to chart it

0 Karma
Reply

theouhuios
Motivator
‎08-27-2015 08:02 AM 
|replace "*_*" with "**" in job_id

This make it a number. But thats not really what I want to do. I just want to show the value by _time.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2015 08:07 AM

I sort of expected that. Charting is something best done with numbers. I'm not sure of the utility of charting unique strings. @woodcock's answer will show job_id's broken down by time. Perhaps you can experiment with different visualizations to see if any work for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

woodcock
Esteemed Legend
‎08-27-2015 07:51 AM

Something like this will work:

... | bucket _time span=1d | stats values(job_id) by _time
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...