Re: Need help in creating timechart query

jcvytla · ‎04-04-2018

I have hourly data for 30 days on execution of jobs. I wanted to create a timechart based on elapsed time. could you please help me through. my query:

| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime

Could you please help?

mayurr98 · ‎04-05-2018

I think you should try something like this

| inputlookup xxxx.csv |eval _time=strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d count

OR

| inputlookup xxxx.csv |eval _time=time | bin _time span=1d | stats count by _time

let me know if this helps!

jcvytla · ‎04-05-2018

HI Mayur,

Thanks for your response. But, both the solution are not working. Data is not being populated in the first place.

Thanks

splunker12er · ‎04-04-2018

try this,

 | inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")  | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)

jcvytla · ‎04-05-2018

Hi @splunker12er,

Thanks for your response. I don't get any error, but is not being populated

splunker12er · ‎04-04-2018

try this,

| inputlookup xxxx.csv |eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")  | bucket in_epoch span=1d| stats count values(your_field) as your_field by in_epoch |convert ctime(in_epoch)

adonio · ‎04-04-2018

try this:
| inputlookup xxxx.csv |eval _time = strptime(time, "%m/%d/%Y %H:%M") | timechart span=1d as ElapsedTime

jcvytla · ‎04-05-2018

Hi @adonio,

Thanks for your response.I'm getting this error while running the your solution:

"Error in 'timechart' command: The specifier 'as' is invalid. It must be in form (). For example: max(size)."

Need help in creating timechart query

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform