Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Plot Values by Time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, im having trouble getting timechart by value to give me any results. I have a data set that has a value for each day, so far 30 days worth of data, each "Elapsed Time" is anywhere from 33 - 40 seconds, showing 00:33:56 etc etc however when i timechart this i dont get any errors but i also dont get any results. i dont want an average or count but the exact value, is this possible?
i've tried |timechart value(elapsed) , | timechart dc(elapsed) | timechart values(elapsed) span=1d | chart values(elapsed) by _time.
any help would be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Lavster,
I've recreated what I think your dataset might look like in Splunk with the search below. Let me know if it isn't correct:
(you can copy paste this directly into Splunk)
| gentimes start=6/1/19 end=6/30/19 increment=1d
| eval seconds = random()%7 + 3
| eval milliseconds = random()%60
| eval milliseconds = if(len(milliseconds) = 1, "0".milliseconds, milliseconds)
| eval elapsed = "00:3".seconds.":".milliseconds
| eval _time = starttime
| table _time elapsed
Assuming that it looks correct, you can use this search to convert the time into seconds, which will allow you to plot the values in a chart:
...BASE SEARCH...
| table _time elapsed
| rex field=elapsed "(?<minutes>\d{2})\:(?<seconds>\d{2})\:(?<milliseconds>\d+)"
| eval minutes = minutes * 60, milliseconds = milliseconds / 100
| eval elapsed = minutes + seconds + milliseconds
| chart values(elapsed) OVER _time
Let me know if you run into any trouble!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using timechart, the field used as the argument to the aggregation function (e.g. avg()) must contain only numbers. In your case, it does not, so change that like this:
... | eval | convert dur2sec(elapsed) AS elapsed_seconds | timechart avg(elapsed_seconds) span=1d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Lavster,
I've recreated what I think your dataset might look like in Splunk with the search below. Let me know if it isn't correct:
(you can copy paste this directly into Splunk)
| gentimes start=6/1/19 end=6/30/19 increment=1d
| eval seconds = random()%7 + 3
| eval milliseconds = random()%60
| eval milliseconds = if(len(milliseconds) = 1, "0".milliseconds, milliseconds)
| eval elapsed = "00:3".seconds.":".milliseconds
| eval _time = starttime
| table _time elapsed
Assuming that it looks correct, you can use this search to convert the time into seconds, which will allow you to plot the values in a chart:
...BASE SEARCH...
| table _time elapsed
| rex field=elapsed "(?<minutes>\d{2})\:(?<seconds>\d{2})\:(?<milliseconds>\d+)"
| eval minutes = minutes * 60, milliseconds = milliseconds / 100
| eval elapsed = minutes + seconds + milliseconds
| chart values(elapsed) OVER _time
Let me know if you run into any trouble!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this, worked a charm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you post your full query and a sample data set
See Splunk Platform & Observability Innovations at Cisco Live EMEA
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
