Solved: How to display two lines in a linechart based on o...

Bleepie · ‎01-07-2022

Dear Splunk Community,

Every 5 minutes the following event is generated :

2022-01-05 21:20:33 : Running

OR

2022-01-05 20:19:33 : Failed

I would like to display a timeline with two (2) lines showing when the system is running and when it fails. I have come so far:

running OR failed
| eval status = if(like(_raw, "%Running%"), "Running", "Not running")
| table status

I am in need of some guidance in this matter. How do I change the above search so that I have a line chart visualization with the two lines in it?

Thanks in advance.

ITWhisperer · ‎01-07-2022

running OR failed
| eval running= if(like(_raw, "%Running%"), 1, 0)
| eval notrunning= if(like(_raw, "%Running%"), 0, 1)
| table _time running notrunning

View solution in original post

yuanliu · ‎01-07-2022

Are you thinking of timechart?

running OR failed
| rex "\s+:\s+(?<status>\w+)"
| timechart span=5m count by status

(rex is more standard way of extracting info with the type of data you illustrated.)

Bleepie · ‎01-07-2022

Thanks for your reply. I have however accepted the other answer as it gives me a visually more appealing result.

ITWhisperer · ‎01-07-2022

running OR failed
| eval running= if(like(_raw, "%Running%"), 1, 0)
| eval notrunning= if(like(_raw, "%Running%"), 0, 1)
| table _time running notrunning

How to display two lines in a linechart based on one value?

chart

eval

fields

table

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?