Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a time chart with milestones?

dbcase
Motivator
‎01-27-2017 09:14 AM

Hi,

I'm trying to get some sort of timechart with milestones. Something like the attached pic (example) . alt text

I know Splunk can't do exactly what is in the pic but I was thinking of a column chart with two series. Series #1 would come from index betadb, and series 2 would come from index allmsos.

betadb events look like this:

1004534,1004295,TCA203,N,N,01-26-2017 05:01:33,null

PremiseID, reference number, hardware, don't care, don't care, date time, don't care

and the allmsos data looks like this:

01-27-2017 10:27:59,7_3_10_000500_3851899

date time, version number

Iguinn was very helpful and came up with a query that looks like this:

(index=betadb OR index=allmsos) (source=*bbOrCellOffline* OR source=*Beta.csv*) 
 | eval theSource=if(index=="betadb","bbOrCellOffline","Beta.csv")
 | timechart count by theSource|rename Beta.csv as "Version Count"

And it works the way I had described the problem. What I didn't think of is, the allmsos data will be updated every day so there will be "duplicate" entries in there, only the date will change. I don't want to graph every day. I only want to graph when the version number changes..... And I'm stumped on this one.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2017 09:29 AM

Give this a try. Check the field names and base searches. The ideas is to have allmsos data appended to other data and a dedup is done on version number so that only the records when version changes will exist.

(index=betadb  source=*Beta.csv*) 
 timechart count as  "Version Count"
| append [search index=allmsos source=*bbOrCellOffline* | dedup "Version Number" | timechart count as bbOrCellOffline] 
 timechart values(*) as *

View solution in original post

Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-27-2017 09:36 AM

Just a thought:

How about the one's u want to keep as timeline milestone, keep them as bar charts and then overlay the one you want to keep as line on these bars. That will give the similar affect of having milestones standing lines (bars) and a line running through them (the value u overlayed).

Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 09:39 AM

That will work even better! TY! Now to get the query sorted

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2017 09:29 AM

Give this a try. Check the field names and base searches. The ideas is to have allmsos data appended to other data and a dedup is done on version number so that only the records when version changes will exist.

(index=betadb  source=*Beta.csv*) 
 timechart count as  "Version Count"
| append [search index=allmsos source=*bbOrCellOffline* | dedup "Version Number" | timechart count as bbOrCellOffline] 
 timechart values(*) as *
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 09:34 AM

Hi Somesoni2,

Not very familiar with the append command (yet)

getting this error

Error in 'append' command: The last argument must be a subsearch.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 09:47 AM

Actually missed the puoe before last timechart. Please add that and update the sources accordingly.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 11:38 AM

Fixed it!

Query looks like this:

(index=allmsos  source=*Beta.csv*) | dedup "Version"
  |timechart count as  "Version Count"  | append [search index=betadb source=*bbOrCellOffline* | timechart count as bbOrCellOffline] |
  timechart values(*) as * |convert num("Version Count") as vc |eval vc=vc*50|fields - "Version Count"
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 09:36 AM

Also I'm thinking that the sources/indexes are mismatched

index=betadb has a source of bbOrCellOffline

index=allmsos has a source of Beta.csv

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 09:53 AM

Fixed the search but still not quite where it needs to be

(index=allmsos  source=*Beta.csv*) 
  |timechart count as  "Version Count"  | append [search index=betadb source=*bbOrCellOffline* | dedup "Version"| timechart count as bbOrCellOffline] |
  timechart values(*) as *

This query just gives a stat table of the Beta.csv source. No betadb data is represented.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-27-2017 09:56 AM

Also The Version field is part of the Beta.csv source. If I remove the dedup "Version" it does give me close to the chart I'm looking for but I'm back to each day having a Version column as in the original query that Iguinn provided.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...