Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to develop a timechart that will show multiple events and the time the events occurred?

duraij
Explorer
‎11-28-2016 09:13 AM

Hi, I am trying to plot a multiseries timechart. Trying to plot the multiple events and the time the events occurred.

For example: for Date '01Nov', Event1 occurred at 10AM, Event 2 occurred at 11AM, etc. I have 5 events for a given date. Please guide me in how to plot all the details in the line/column graph. My data looks like this (first row is the headers).

Value_Date  REGION AREA  SLA TIME   EVENT2 TIME   EVENT3 TIME   EVENT4 TIME   EVENT5 TIME   EVENT6 TIME   EVENT7 TIME

11/2/2016   EMEA         WMSB      11/2/16 8:30 AM    11/2/16 11:23 AM   11/2/16 11:23 AM   11/2/16 11:48 AM    11/2/16 11:47 AM    11/2/16 11:41 AM    11/2/16 12:06 PM
11/2/2016   AMER         Credit     11/2/16 8:00 AM 11/2/16 6:15 AM 11/2/16 6:18 AM  11/2/16 7:16 AM    11/2/16 6:40 AM 11/2/16 6:25 AM 11/2/16 7:06 AM
11/2/2016   EMEA         Credit     11/2/16 4:00 AM 11/1/16 10:13 PM   11/1/16 10:16 PM 11/1/16 10:53 PM    11/1/16 10:53 PM    11/1/16 10:23 PM    11/1/16 10:27 PM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 3:02 AM 11/2/16 3:20 AM  11/2/16 4:15 AM    11/2/16 3:48 AM 11/2/16 3:43 AM 11/2/16 3:51 AM
11/2/2016   Global       FXMM       11/2/16 4:00 AM 11/2/16 12:29 PM   11/2/16 12:31 PM 11/2/16 12:48 PM    11/2/16 12:51 PM    11/2/16 2:18 AM 11/2/16 1:11 PM
0 Karma
Reply

duraij
Explorer
‎01-23-2017 07:41 AM

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma
Reply

sundareshr
Legend
‎11-28-2016 02:34 PM

Try this

base search | stats span=1d earliest(eval(if(event="event1", _time, null()))) as E1_Time earliest(eval(if(event="event2", _time, null()))) as E2_Time earliest(eval(if(event="event3", _time, null()))) as E3_Time etc etc by _time region_are sla_time
0 Karma
Reply

duraij
Explorer
‎01-23-2017 12:04 PM

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma
Reply

duraij
Explorer
‎01-23-2017 12:03 PM

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.

Thanks

0 Karma
Reply

duraij
Explorer
‎01-23-2017 12:03 PM

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma
Reply

duraij
Explorer
‎01-23-2017 12:02 PM

I am still having trouble with the achieving the above requirement. I have upgraded splunk to 6.4 and tried using Timeline app but no luck. Any help would be really appreciated.
Thanks

0 Karma
Reply

duraij
Explorer
‎11-29-2016 08:49 AM

Thanks for your reply but it didn't work. Also I can't use _time in my search instead I have to use Value_Date. The Problem I am facing is I am not able to show the actual Eventtime in the Y axis. Expecting Region, Area in the X Axis and Eventstime in the Y axis (as 24hrs Window). My current search looks like below.

base search | eval new_value_date=strptime(VALUE_DATE, "%Y-%m-%d %H:%M:%S")| convert ctime(new_value_date) , timeformat="%Y-%m-%d"|eval rptid=new_value_date."_".SYSTEM_NAME."_".REGION."_".AREA."_".ROLL_REQUEST_ID| eval s1="1_new_value_date 2_Event2  3_Event3 6_Event6  7_Event7 4_Event4  5_Event5  8_SLA_DATE" | makemv s1 | mvexpand s1 | eval yval=case(s1=="1_new_value_date",new_value_date,s1=="6_Event6",Event6 ,s1=="7_Event7",Event7,s1=="4_Event4",Event4,s1=="5_Event5",Event5,s1=="2_Event2",Event2,s1=="3_Event3",Event3,s1=="8_SLA_DATE",SLA_DATE)  | eval yval=if(s1=="1_new_value_date",strptime(VALUE_DATE, "%F"),strptime(yval, "%F %H:%M:%S")) | eval time=yval | eval series=rptid  | fields time s1 rptid yval SLA_DATE | eventstats first(_time) AS start BY rptid | stats max(time) AS time BY s1 rptid new_value_date | fieldformat time=strftime(time,"%F %H:%M:%S") | xyseries s1 rptid time
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...