Splunk Search

Need to populate recent time value at the column left and oldest time towards right using chart command

arunrajamani
New Member

Hello Experts,

We had created splunk dashboard for monitoring automation tests which is triggered at Jenkins. Below is the dashboard view which we created and kindly help here in getting the time field to show latest value in the left and currently it was showing oldest value in the left.

Kindly help here in sharing your valuable inputs.

Cheers,
Arun

Tags (2)
0 Karma

to4kawa
Ultra Champion
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2d@m"), relative_time(_time,"@m"))
| makecontinuous span=1m
| eval steps="step".(random() % 7 + 1)
| bin span=3h _time
| timechart limit=0 count by steps
| eval step=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") 
| table step*
| reverse
| transpose 0 header_field=step column_name=steps

Hi folks,
try reverse

0 Karma

niketn
Legend

@arunrajamani can you please refer to one of my older Answer on similar lines
https://answers.splunk.com/answers/724720/how-can-i-change-from-descendant-to-ascendant-in-t.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

arunrajamani
New Member

Hello nike,

Thanks for your reply.
I tried this but not working.
I need a solution with respect to chart command only so that my view shouldn't change.

Kindly help!!

0 Karma

arunrajamani
New Member

Steps 19/11-15:00 19/11-21:00 20/11-09:00 20/11-12:00
Step1 P P P F
Step2 P P P S
Step3 P P P S
Step4 P P P S
Step5 P P P S
Step6 P P P S
Step7 P P P P

0 Karma

arunrajamani
New Member

Hello Miller,

I tried reverse command aswell but not worked. Kindly help me some other way using the chart command

0 Karma

rmmiller
Contributor

Does the reverse command help you accomplish this?

0 Karma

arunrajamani
New Member

Query used:

Below is the query used to generate this dashboard.

index=splunk
|spath ​
|rename triggered-at as StartTime​
|spath path=scenarioData{} ​
| mvexpand scenarioData{} ​
| spath input=scenarioData{} ​

|rename environment as Environment, "business scenario" as BusinessScenario,steps{}.fullName as Steps,steps{}.status as Status steps{}.steptime as StepTime steps{}.stepduration as Duration evidenceURL as Evidence​

|eval string1=mvzip(Steps,Status,"sep_")​
|mvexpand string1​
|rex field=string1 "(?.)sep_"​
|rex field=string1 "sep_(?.
)"​

|eval Status = if('Status'="passed","P",if('Status'="failed","F",if('Status'="Pass","P",if('Status'="Fail","F",if('Status'="Skipped","S",if('Status'="skipped","S",'Status'))))))​
​|eval epoche=strptime(StartTime,"%Y-%m-%dT%H:%M:%SZ")​
|eval c_time=strftime(epoche,"%d/%m-%H:00")​
| search Environment="sit" AND BusinessScenario="BusinessScenario1" AND application="" AND type=""​​
| table Steps Status c_time StepTime Duration Evidence​
| chart values(Status) by Steps,c_time

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...