Hi, I am trying to plot a multiseries timechart. Trying to plot the multiple events and the time the events occurred.
For example: for Date '01Nov', Event1 occurred at 10AM, Event 2 occurred at 11AM, etc. I have 5 events for a given date. Please guide me in how to plot all the details in the line/column graph. My data looks like this (first row is the headers).
Value_Date REGION AREA SLA TIME EVENT2 TIME EVENT3 TIME EVENT4 TIME EVENT5 TIME EVENT6 TIME EVENT7 TIME
11/2/2016 EMEA WMSB 11/2/16 8:30 AM 11/2/16 11:23 AM 11/2/16 11:23 AM 11/2/16 11:48 AM 11/2/16 11:47 AM 11/2/16 11:41 AM 11/2/16 12:06 PM
11/2/2016 AMER Credit 11/2/16 8:00 AM 11/2/16 6:15 AM 11/2/16 6:18 AM 11/2/16 7:16 AM 11/2/16 6:40 AM 11/2/16 6:25 AM 11/2/16 7:06 AM
11/2/2016 EMEA Credit 11/2/16 4:00 AM 11/1/16 10:13 PM 11/1/16 10:16 PM 11/1/16 10:53 PM 11/1/16 10:53 PM 11/1/16 10:23 PM 11/1/16 10:27 PM
11/2/2016 Global FXMM 11/2/16 4:00 AM 11/2/16 3:02 AM 11/2/16 3:20 AM 11/2/16 4:15 AM 11/2/16 3:48 AM 11/2/16 3:43 AM 11/2/16 3:51 AM
11/2/2016 Global FXMM 11/2/16 4:00 AM 11/2/16 12:29 PM 11/2/16 12:31 PM 11/2/16 12:48 PM 11/2/16 12:51 PM 11/2/16 2:18 AM 11/2/16 1:11 PM
I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks
Try this
base search | stats span=1d earliest(eval(if(event="event1", _time, null()))) as E1_Time earliest(eval(if(event="event2", _time, null()))) as E2_Time earliest(eval(if(event="event3", _time, null()))) as E3_Time etc etc by _time region_are sla_time
I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks
I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks
I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks
I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks
Thanks for your reply but it didn't work. Also I can't use _time in my search instead I have to use Value_Date. The Problem I am facing is I am not able to show the actual Eventtime in the Y axis. Expecting Region, Area in the X Axis and Eventstime in the Y axis (as 24hrs Window). My current search looks like below.
base search | eval new_value_date=strptime(VALUE_DATE, "%Y-%m-%d %H:%M:%S")| convert ctime(new_value_date) , timeformat="%Y-%m-%d"|eval rptid=new_value_date."_".SYSTEM_NAME."_".REGION."_".AREA."_".ROLL_REQUEST_ID| eval s1="1_new_value_date 2_Event2 3_Event3 6_Event6 7_Event7 4_Event4 5_Event5 8_SLA_DATE" | makemv s1 | mvexpand s1 | eval yval=case(s1=="1_new_value_date",new_value_date,s1=="6_Event6",Event6 ,s1=="7_Event7",Event7,s1=="4_Event4",Event4,s1=="5_Event5",Event5,s1=="2_Event2",Event2,s1=="3_Event3",Event3,s1=="8_SLA_DATE",SLA_DATE) | eval yval=if(s1=="1_new_value_date",strptime(VALUE_DATE, "%F"),strptime(yval, "%F %H:%M:%S")) | eval time=yval | eval series=rptid | fields time s1 rptid yval SLA_DATE | eventstats first(_time) AS start BY rptid | stats max(time) AS time BY s1 rptid new_value_date | fieldformat time=strftime(time,"%F %H:%M:%S") | xyseries s1 rptid time