Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transpose and Timechart

IRHM73
Motivator
‎04-26-2018 05:25 AM

Hi, I wonder whether someone may be able to help me please.

I've put together the following query which works but I'm having trouble adding the 'timechart' command.

 (wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
  | spath output=afin input=detail.responseMessage path=affinityGroup
  | eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
  | stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
  | search (api="benefits" OR api="employment" OR api="income")
  | stats count by afin, api
  | transpose 0
 | fields - column

I'd like the time to be show in the far left column, but as soon as I incorporate the 'timechart' and 'transpose' commands, the format of the table is thrown out.

i just wondered whether someone may be able to look at this please and offer some guidance on how I can incorporate the 'timechart' with a span of 1d.

Many thanks and kind regards

Chris

0 Karma
Reply

kmaron
Motivator
‎04-26-2018 05:55 AM

isn't your stats command dropping _time since it's not included?

0 Karma
Reply

IRHM73
Motivator
‎04-26-2018 11:25 PM

Hi @kmaron, yes thank you for this.

I've now included the _time but I have issues over the Transpose.

Kind Regards

Chris

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-26-2018 05:40 AM

When you use transpose your turning your _time column into a row and timechart is attempting to use time on the x-axis and it can't. I also noticed your query is using stats and not passing time. You need to add your _time to the stats

Also, you can keep your stats, but you would need to add | bin _time span=1d before the stats command.

Why are you using transpose anyways?

0 Karma
Reply

IRHM73
Motivator
‎04-26-2018 05:54 AM

Hi @skoelpin, thank you for replying. I can certainly make the changes you suggest but the reason I'm using transpose, is so I can change the row values into column headers.

I'm not sure whether there is a more efficient way?

Kind Regards

Chris

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-26-2018 05:59 AM

I've updated the query for you. After running this, what's your desired result? 

   (wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
       | spath output=afin input=detail.responseMessage path=affinityGroup
       | eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
       | bin _time span=1d
       | stats values(afin) as afin, values(request.detail.apiContext) as api by _time, requestid
       | search (api="benefits" OR api="employment" OR api="income")
       | stats count by _time, afin, api
0 Karma
Reply

IRHM73
Motivator
‎04-26-2018 11:24 PM

Hi @skoelpin, thank you for coming back to me with this.

The table does produce the date along the data, but I'm not sure whether you picked up on my last comment about the transpose.

The api field value need to be the column values, and as soon as I add the transpose command the time is also transposed but I still need the _time as a row value. This is where I have the issue.

Kind Regards

Chris

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...