Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to display time ranges based on chart/table data

chadman
Path Finder
โ€Ž08-15-2016 05:44 AM

I have a timechart that works ok, but can be hard to read because of how Splunk averages the data. I have tried to show the chart as values and that also works, but still is hard to read. My goal is so have a nice way to preset some time ranges to the user. The data is either true/false and gets reported every min. I would like to display to the users all the time ranges the data is true in the search. Below is the chart I tried, but I'm not sure a chart is the best way to display this.

sourcetype="data1" host=host1
        | eval "Workstation Locked" = if(lock="True",1,0) 
        | chart values("Workstation Locked") as "Workstation Locked" by date
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
โ€Ž08-15-2016 05:54 AM

Have you look at the timeline app?

https://splunkbase.splunk.com/app/3120/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
โ€Ž08-15-2016 05:54 AM

Have you look at the timeline app?

https://splunkbase.splunk.com/app/3120/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
โ€Ž08-15-2016 06:04 AM

that does look cool, but I prefer a search option that does not require an addon if that's possible. It does not have to be in a chart.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
โ€Ž08-15-2016 06:31 AM

Try this then

sourcetype="data1" host=host1
| autoregress lock
| streamstats count(eval(lock!=lock_p1)) as group 
| stats earliest(_time) as start latest(_time) as end by host group
| eval start=strftime(start, "%c")
| eval end=strftime(end, "%c")
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
โ€Ž08-15-2016 06:48 AM

Looks good! I forgot to mention in my post that I would only like to see the time ranges when lock=1. I tired to add a | where lock=1 in the beginning of the search, but that broke it.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
โ€Ž08-15-2016 06:51 AM

Add the where after just before the stats. Like this

 sourcetype="data1" host=host1
 | autoregress lock
 | streamstats count(eval(lock!=lock_p1)) as group 
 | where lock=1
 | stats earliest(_time) as start latest(_time) as end by host group
 | eval start=strftime(start, "%c")
 | eval end=strftime(end, "%c")
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
โ€Ž08-15-2016 06:52 AM

Thanks! I figured it out just before your post. Thanks again for another great solution!

0 Karma
Reply