Splunk Search

How to develop a timechart that will show multiple events and the time the events occurred?

duraij
Explorer

Hi, I am trying to plot a multiseries timechart. Trying to plot the multiple events and the time the events occurred.

For example: for Date '01Nov', Event1 occurred at 10AM, Event 2 occurred at 11AM, etc. I have 5 events for a given date. Please guide me in how to plot all the details in the line/column graph. My data looks like this (first row is the headers).

Value_Date  REGION AREA  SLA TIME   EVENT2 TIME   EVENT3 TIME   EVENT4 TIME   EVENT5 TIME   EVENT6 TIME   EVENT7 TIME

11/2/2016   EMEA         WMSB      11/2/16 8:30 AM    11/2/16 11:23 AM   11/2/16 11:23 AM   11/2/16 11:48 AM    11/2/16 11:47 AM    11/2/16 11:41 AM    11/2/16 12:06 PM
11/2/2016   AMER         Credit     11/2/16 8:00 AM 11/2/16 6:15 AM 11/2/16 6:18 AM  11/2/16 7:16 AM    11/2/16 6:40 AM 11/2/16 6:25 AM 11/2/16 7:06 AM
11/2/2016   EMEA         Credit     11/2/16 4:00 AM 11/1/16 10:13 PM   11/1/16 10:16 PM 11/1/16 10:53 PM    11/1/16 10:53 PM    11/1/16 10:23 PM    11/1/16 10:27 PM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 3:02 AM 11/2/16 3:20 AM  11/2/16 4:15 AM    11/2/16 3:48 AM 11/2/16 3:43 AM 11/2/16 3:51 AM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 12:29 PM   11/2/16 12:31 PM 11/2/16 12:48 PM    11/2/16 12:51 PM    11/2/16 2:18 AM 11/2/16 1:11 PM
0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

sundareshr
Legend

Try this

base search | stats span=1d earliest(eval(if(event="event1", _time, null()))) as E1_Time earliest(eval(if(event="event2", _time, null()))) as E2_Time earliest(eval(if(event="event3", _time, null()))) as E3_Time etc etc by _time region_are sla_time
0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.

Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

Thanks for your reply but it didn't work. Also I can't use _time in my search instead I have to use Value_Date. The Problem I am facing is I am not able to show the actual Eventtime in the Y axis. Expecting Region, Area in the X Axis and Eventstime in the Y axis (as 24hrs Window). My current search looks like below.

base search | eval new_value_date=strptime(VALUE_DATE, "%Y-%m-%d %H:%M:%S")| convert ctime(new_value_date) , timeformat="%Y-%m-%d"|eval rptid=new_value_date."_".SYSTEM_NAME."_".REGION."_".AREA."_".ROLL_REQUEST_ID| eval s1="1_new_value_date 2_Event2  3_Event3 6_Event6  7_Event7 4_Event4  5_Event5  8_SLA_DATE" | makemv s1 | mvexpand s1 | eval yval=case(s1=="1_new_value_date",new_value_date,s1=="6_Event6",Event6 ,s1=="7_Event7",Event7,s1=="4_Event4",Event4,s1=="5_Event5",Event5,s1=="2_Event2",Event2,s1=="3_Event3",Event3,s1=="8_SLA_DATE",SLA_DATE)  | eval yval=if(s1=="1_new_value_date",strptime(VALUE_DATE, "%F"),strptime(yval, "%F %H:%M:%S")) | eval time=yval | eval series=rptid  | fields time s1 rptid yval SLA_DATE | eventstats first(_time) AS start BY rptid | stats max(time) AS time BY s1 rptid new_value_date | fieldformat time=strftime(time,"%F %H:%M:%S") | xyseries s1 rptid time
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...