Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a timechart with unit field values i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I want t to do a timechart with unit field values in nanoseconds and based on a token filter $field$
The timechart is based on the code below:
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval _time = strftime(_time, "%Y-%m-%d %H:%M")
| sort -_time
| stats avg(PercentProcessorTime) as PercentProcessorTime_AVG, avg(Timestamp_Sys100NS) as Timestamp_Sys100NS_AVG by host, Service
The timechart code is
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval _time = strftime(_time, "%Y-%m-%d %H:%M")
| sort -_time
|timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
First i have no value displayed in the graph, just a linear line with value = 0
What would I have to do to display these values in a better way?
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31.
Try removing the eval _time = strftime(_time, "%Y-%m-%d %H:%M") from your search. Splunk automatically converts it into a readable format unless you assign _time to another variable.
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/" OR Name="mcshield/") Name=$Service$
| rex field=Name "^(?[^\/]+)[\/]" |timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31.
Try removing the eval _time = strftime(_time, "%Y-%m-%d %H:%M") from your search. Splunk automatically converts it into a readable format unless you assign _time to another variable.
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/" OR Name="mcshield/") Name=$Service$
| rex field=Name "^(?[^\/]+)[\/]" |timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
thanks it was the issue....
i have another question : in this chart i need another curve
the code is the same than for the first curve, the data refer just to another machine
how can i do this please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31, if above answer solved your issue, please upvote and accept it. For your second query, add both hosts to the filter (host="host1" OR host="host2") and use eval in avg
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi renjith
and many thanks
yesterday there was the code for the eval function but i cant see it today??
can you give it again please???
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
