Splunk Search

How to develop a timechart that will show multiple events and the time the events occurred?

duraij
Explorer

Hi, I am trying to plot a multiseries timechart. Trying to plot the multiple events and the time the events occurred.

For example: for Date '01Nov', Event1 occurred at 10AM, Event 2 occurred at 11AM, etc. I have 5 events for a given date. Please guide me in how to plot all the details in the line/column graph. My data looks like this (first row is the headers).

Value_Date  REGION AREA  SLA TIME   EVENT2 TIME   EVENT3 TIME   EVENT4 TIME   EVENT5 TIME   EVENT6 TIME   EVENT7 TIME

11/2/2016   EMEA         WMSB      11/2/16 8:30 AM    11/2/16 11:23 AM   11/2/16 11:23 AM   11/2/16 11:48 AM    11/2/16 11:47 AM    11/2/16 11:41 AM    11/2/16 12:06 PM
11/2/2016   AMER         Credit     11/2/16 8:00 AM 11/2/16 6:15 AM 11/2/16 6:18 AM  11/2/16 7:16 AM    11/2/16 6:40 AM 11/2/16 6:25 AM 11/2/16 7:06 AM
11/2/2016   EMEA         Credit     11/2/16 4:00 AM 11/1/16 10:13 PM   11/1/16 10:16 PM 11/1/16 10:53 PM    11/1/16 10:53 PM    11/1/16 10:23 PM    11/1/16 10:27 PM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 3:02 AM 11/2/16 3:20 AM  11/2/16 4:15 AM    11/2/16 3:48 AM 11/2/16 3:43 AM 11/2/16 3:51 AM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 12:29 PM   11/2/16 12:31 PM 11/2/16 12:48 PM    11/2/16 12:51 PM    11/2/16 2:18 AM 11/2/16 1:11 PM
0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

sundareshr
Legend

Try this

base search | stats span=1d earliest(eval(if(event="event1", _time, null()))) as E1_Time earliest(eval(if(event="event2", _time, null()))) as E2_Time earliest(eval(if(event="event3", _time, null()))) as E3_Time etc etc by _time region_are sla_time
0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.

Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma

duraij
Explorer

Thanks for your reply but it didn't work. Also I can't use _time in my search instead I have to use Value_Date. The Problem I am facing is I am not able to show the actual Eventtime in the Y axis. Expecting Region, Area in the X Axis and Eventstime in the Y axis (as 24hrs Window). My current search looks like below.

base search | eval new_value_date=strptime(VALUE_DATE, "%Y-%m-%d %H:%M:%S")| convert ctime(new_value_date) , timeformat="%Y-%m-%d"|eval rptid=new_value_date."_".SYSTEM_NAME."_".REGION."_".AREA."_".ROLL_REQUEST_ID| eval s1="1_new_value_date 2_Event2  3_Event3 6_Event6  7_Event7 4_Event4  5_Event5  8_SLA_DATE" | makemv s1 | mvexpand s1 | eval yval=case(s1=="1_new_value_date",new_value_date,s1=="6_Event6",Event6 ,s1=="7_Event7",Event7,s1=="4_Event4",Event4,s1=="5_Event5",Event5,s1=="2_Event2",Event2,s1=="3_Event3",Event3,s1=="8_SLA_DATE",SLA_DATE)  | eval yval=if(s1=="1_new_value_date",strptime(VALUE_DATE, "%F"),strptime(yval, "%F %H:%M:%S")) | eval time=yval | eval series=rptid  | fields time s1 rptid yval SLA_DATE | eventstats first(_time) AS start BY rptid | stats max(time) AS time BY s1 rptid new_value_date | fieldformat time=strftime(time,"%F %H:%M:%S") | xyseries s1 rptid time
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...