Splunk can be pretty mean at times and do things that have no sense. Im trying to create a chart that shows a few percentages from data going back 6 months which is plopped in to week buckets. The below query is only creating monthly buckets though...
index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other")
| bin _time span=7d
| timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d
All help is appreciated greatly.
can you either remove the bin _time or make the timechart into a chart and see if that works?
index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other")
| timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d
OR
index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other")
| bin _time span=7d
| chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f
Cheers cmerriman.
The latter option worked. Am I right in saying its bizarre that my original query was duff?
did you try moving span ?
| timechart span=7d mean(percent) as percent by WORKFLOWSTATUSID usenull=f
If I recall correctly, order matters here
That was my first thought too
can you either remove the bin _time or make the timechart into a chart and see if that works?
index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other")
| timechart mean(percent) as percent by WORKFLOWSTATUSID usenull=f span=7d
OR
index=pmc sourcetype=stash source="PDL Per*" WORKFLOWSTATUSID!=1 earliest=-6mon@w
| eval WORKFLOWSTATUSID=case(WORKFLOWSTATUSID==0,"Finished", WORKFLOWSTATUSID==1, "In Progress", WORKFLOWSTATUSID==4, "Error",WORKFLOWSTATUSID==7,"Failed", 1=1, "Other")
| bin _time span=7d
| chart mean(percent) as percent by _time WORKFLOWSTATUSID usenull=f
What happens if you change 7d to 1w?