Re: How to get timechart to work in a search with ...

Tylerdygert · ‎11-14-2019

Hello, I am trying to make a timechart for my field "finalProfit" in the search below.
I have tried doing timechart per_hour(finalProfit), eval commands in my timechart search, and a number of other options but I'm having no luck.
If anyone can help me reorganize the search to work with the timechart command I would greatly appreciate it. Thanks!

 index=main sourcetype=marketapi
| foreach name [ eval baseprice = pricePerOne]
| eval savageDraught = case(name=="Wolf Blood", baseprice *4, name=="Blue Umbrella Mushroom", baseprice *4, name=="Bottle of River Water", baseprice *4, name=="Weeds", baseprice *1, name=="Monk's Branch", baseprice *16, name=="Moss Tree Sap", baseprice *16, name=="Powder of Darkness", baseprice *2, name=="Powder of Flame", baseprice *10, name=="Powder of Time", baseprice *6, name=="Red Tree Lump", baseprice *10, name=="Sky Blue Flower", baseprice *2, name=="Spirit's Leaf", baseprice *2, name=="Sunrise Herb", baseprice *1, name=="Thuja Sap", baseprice *12, name=="Violet Flower", baseprice *2, name=="Volcanic Umbrella Mushroom", baseprice *2)
| eval savageDraught = savageDraught/2.5
| search savageDraught!=''
| eval hammertime=_time
| bucket span=1h hammertime
| stats sum(savageDraught) AS craftedCost by hammertime
| appendcols
    [search index=main sourcetype=marketapi name="Savage Draught" 
    | eval Time=_time
    | eval purchaseCost = pricePerOne ]
| eval profit=purchaseCost - craftedCost - 100000
| eval finalProfit=profit*.85

Tylerdygert · ‎11-15-2019

I managed to get this work by using this search:

index=main sourcetype=marketapi
| foreach name [ eval baseprice = pricePerOne]
| eval savageDraught = case(name=="Wolf Blood", baseprice 4, name=="Blue Umbrella Mushroom", baseprice *4, name=="Bottle of River Water", baseprice *4, name=="Weeds", baseprice *1, name=="Monk's Branch", baseprice *16, name=="Moss Tree Sap", baseprice *16, name=="Powder of Darkness", baseprice *2, name=="Powder of Flame", baseprice *10, name=="Powder of Time", baseprice *6, name=="Red Tree Lump", baseprice *10, name=="Sky Blue Flower", baseprice *2, name=="Spirit's Leaf", baseprice *2, name=="Sunrise Herb", baseprice *1, name=="Thuja Sap", baseprice *12, name=="Violet Flower", baseprice *2, name=="Volcanic Umbrella Mushroom", baseprice *2)
| eval savageDraught = savageDraught/2.5
| search savageDraught!=''
| bucket span=1h _time
| stats sum(savageDraught) AS craftedCost by _time
| appendcols
[search index=main sourcetype=marketapi name="Savage Draught"
| eval purchaseCost = pricePerOne ]
| eval profit=purchaseCost - craftedCost - 100000
| eval finalProfit=profit.85
| timechart span=1h sum(finalProfit)

aberkow · ‎11-14-2019

I could be wrong here, but fairly certain your issue is that you no longer have the literal _time field, which is required for the timechart command. Example:

| makeresults count=3 | timechart count This works.

| makeresults count=3 | eval time=_time | table time, count | timechart count This doesn't work.

Rename/coalesce your time variables to _time and give it a shot?

Tylerdygert · ‎11-15-2019

How would I get my _time field back? I'm unsure how to accomplish this.

aberkow · ‎11-15-2019

Two ways: you can recreate it, like below, or you can never change your variables out of _time format at all.

| eval _time = coalesce(hammertime, Time) should work. All I meant was I'm pretty sure the timechart command absolutely requires a field called _time, it doesn't have to be the native one though!

How to get timechart to work in a search with multiple calculations

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services