Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need help in creating timechart query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help in creating timechart query
jcvytla
New Member
04-04-2018
03:34 PM
I have hourly data for 30 days on execution of jobs. I wanted to create a timechart based on elapsed time. could you please help me through. my query:
| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime
Could you please help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
04-05-2018
12:28 AM
I think you should try something like this
| inputlookup xxxx.csv |eval _time=strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d count
OR
| inputlookup xxxx.csv |eval _time=time | bin _time span=1d | stats count by _time
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcvytla
New Member
04-05-2018
10:25 AM
HI Mayur,
Thanks for your response. But, both the solution are not working. Data is not being populated in the first place.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
04-04-2018
09:28 PM
try this,
| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M") | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcvytla
New Member
04-05-2018
10:27 AM
Hi @splunker12er,
Thanks for your response. I don't get any error, but is not being populated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
04-04-2018
09:26 PM
try this,
| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M") | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
04-04-2018
06:33 PM
try this:
| inputlookup xxxx.csv |eval _time = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcvytla
New Member
04-05-2018
10:23 AM
Hi @adonio,
Thanks for your response.I'm getting this error while running the your solution:
"Error in 'timechart' command: The specifier 'as' is invalid. It must be in form (). For example: max(size)."
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
