Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart breaking up

reverse
Contributor
‎07-16-2019 06:13 AM

Expected result

Date    xxx
2019-05-05T00:00:00.000-0400    119394
2019-05-12T00:00:00.000-0400    705593
2019-05-19T00:00:00.000-0400    724051
2019-05-26T00:00:00.000-0400    622243
2019-06-02T00:00:00.000-0400    923656
2019-06-09T00:00:00.000-0400    1040106
2019-06-16T00:00:00.000-0400    1117687
2019-06-23T00:00:00.000-0400    1331860
2019-06-30T00:00:00.000-0400    779990
2019-07-07T00:00:00.000-0400    838488
2019-07-14T00:00:00.000-0400    884224

Actual result

Date    xxx
    2019-05-05T00:00:00.000-0400    119394
    2019-05-12T00:00:00.000-0400    705593
    2019-05-19T00:00:00.000-0400    724051
    2019-05-26T00:00:00.000-0400    622243
    2019-06-02T00:00:00.000-0400    923656
    2019-06-09T00:00:00.000-0400    1040106
    2019-06-16T00:00:00.000-0400    1117687
    2019-06-23T00:00:00.000-0400    1331860
    2019-06-30T00:00:00.000-0400    779990
    2019-07-07T00:00:00.000-0400    838488
    2019-07-11T00:00:00.000-0400    884224

please see the last rows.

query

.....
| table Date , xxx
| eval formattedDate=strptime(Date, "%Y-%m-%d") 
| where formattedDate > relative_time(now(), "-10w@w") 
| eval _time=formattedDate |  bin  _time  AS TIME span=7d@w2 | convert ctime(TIME)  
| stats avg(xxx) by TIME
Tags (1)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-16-2019 01:59 PM

So is the issue the date field values in the second set of results?

We might want to avoid the table command, where you drop the _time field.

What sourcetype are you using and how is date/time extraction being handled? got a props.conf by any chance?

Sounds like events have been on-boarded where the date field should have been used for the _time value?

- MattyMo
0 Karma
Reply

reverse
Contributor
‎07-16-2019 02:02 PM

sourcetype = data from CSV ..2 columns as shown above ..

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-16-2019 02:26 PM

so are you literally using the sourcetype called "csv"?

in the props.conf we can ensure the _time values are extracted and formatted?

can you share the source csv, or just confirm how it looks when you ingest it?

I'll ingest your expected table as a csv and share the configs. You just want to depict the xxx value over time correct? for the last 10 weeks?

I think we can simplify the spl a bit.

- MattyMo
0 Karma
Reply

reverse
Contributor
‎07-16-2019 02:37 PM

i am doing |inputcsv to load data into splunk.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-17-2019 06:56 AM

so you have a search that |outputcsv then you load that with |inputcsv ?

- MattyMo
0 Karma
Reply

reverse
Contributor
‎07-17-2019 07:00 AM

initially yes .. to build that CSV ... WHERE i am exporting 2 columns .. date and xx

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-17-2019 07:14 AM

sweet, i will play and report back

- MattyMo
0 Karma
Reply

reverse
Contributor
‎07-16-2019 06:14 AM

tried timechart, chart .. played with span=7d@w2.. same result

0 Karma
Reply

reverse
Contributor
‎07-16-2019 06:51 AM

@Vijeta @jnudell_2 -please guide

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...