Splunk Search

How to chart values over time

Motivator

Hello

What I am trying to do is to literally chart the values over time. Now the value can be anything. It can be a string too. My goal here is to just show what values occurred over that time

Eg Data:
alt text

I need to be able to show in a graph that these job_id's were being executed at that point of time. Is it possible? Do I need to use some advance charting mechanism to show this?

Tags (2)
0 Karma

Esteemed Legend

This should do it:

... | timechart span=1h count by job_id
0 Karma

Splunk Employee
Splunk Employee

Unfortunately there's no out-of-the-box way to do that (yet). Using a hack gets you pretty close: You could do

... | timechart values(linecount) by job_id span=1m

Given fine enough resolution for span, this sets the value for each job_id to 1. You can then do a line chart, like so:
alt text

Revered Legend

If you just want to plot a point to denote that a particular job ID was run, try something like this

your current search giving above table | mvexpand job_id | eval value=1 | table _time job_id value

This will plot a value of 1 for all job_id (select column chart).

*Updated answer *

 your current search giving above table | mvexpand job_id | eval value=1 | chart values(value) over _time by job_id limit=0

Motivator

Well yes, thats the plan. But I still need to show which job_id was running then.

0 Karma

Revered Legend

Give updated answer a try

0 Karma

SplunkTrust
SplunkTrust

Thanks for the correction.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Have you tried appending a timechart command to your search?

... | timechart values(job_id)
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

I did. I think the problem is its not a straight number . As you see in the image above, it has a _ in between the two numbers. May be because of that it doesn't know how to chart it

0 Karma

Motivator
|replace "*_*" with "**" in job_id 

This make it a number. But thats not really what I want to do. I just want to show the value by _time.

0 Karma

SplunkTrust
SplunkTrust

I sort of expected that. Charting is something best done with numbers. I'm not sure of the utility of charting unique strings. @woodcock's answer will show job_id's broken down by time. Perhaps you can experiment with different visualizations to see if any work for you.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

Something like this will work:

... | bucket _time span=1d | stats values(job_id) by _time
0 Karma