Timechart of values

tbrown · ‎08-07-2020

This is probably a really simple question but I have events coming in every minute.

I've used | rex field=_raw .... to extract a field from those events.

How do I plot these field values over time?

This is what my statistics look like.

I've tried

| timechart span=1m values(Last_Heartbeats)

but nothing shows up on my line graph. I've also tried it without a span, I've tried | stats with a | bucket command, I've tried dc(Last_Heartbeats) but I can't figure it out.

bowesmana · ‎08-09-2020

See that your numbers in that column are left justified - that's always a good indicator that Splunk does not think they are numbers, so @isoutamo 's reply is likely to fix your problem

isoutamo · ‎08-07-2020

Are you sure that those Last_Heartbeats are numbers? If not then use

eval Last_Heartbeats = tonumber (trim(Last_Heartbeats))

r. Ismo

Timechart of values

field extraction

fields

stats

table

timechart

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Timechart of values