Solved: How to plot a graph based on values of a field?

dritjon · ‎08-19-2022

I have a search whish results in these events:

user	last_event
user1	2021-12-30 08:57:36.77
user2	2022-03-12 22:29:52.333
user 3	2022-03-13 08:02:48.253

I want to plot a chart where on the X axis there's the dates and on the Y there's the user

ITWhisperer · ‎08-19-2022

Try this

| eval _time=strptime(last_event,"%Y-%m-%d %H:%M:%S")
| timechart count by user

View solution in original post

ITWhisperer · ‎08-19-2022

You need three things to plot a graph, the x-axis field, the y-axis value and the series name - from your example, the x-axis would be the time (you should parse the string to an epoch time strptime()); the series name would be the user name(?), but what would be the y-axis value?

dritjon · ‎08-19-2022

the y-axis value would always be 1 for example.

I just want a chart where I can see (in the last year for example) when's the last event of a users

ITWhisperer · ‎08-19-2022

Try this

| eval _time=strptime(last_event,"%Y-%m-%d %H:%M:%S")
| timechart count by user

dritjon · ‎08-19-2022

Thanks, it worked.

Just for visualization, any way I can make that chart as Bubble Chart?

Because as is it works only as a Column Chart

ITWhisperer · ‎08-19-2022

Bubble charts don't display time very well

How to plot a graph based on values of a field?

chart

fields

timechart

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?