Splunk Search

chart only display when event exist at day / day hour

buzek
Explorer

Hi

how to display in chart only the days (or day & hour) when a „event“ (in my case speedtest results) is/are available.

i do not need „count“, „avg“ …
in the community i found:
| timechart fixedrange=false count

but, cause i dont need/use „count by XY“ this is useless for me.

and, it can be to have more than just one (1) result per day.

_time           field_speedUp   field_speed_Down
2019/11/13 14:35:09     800     400
2019/11/13 14:37:28       300       200

thanks for helping 😉

Tags (2)
0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults
| eval raw="time            field_speedUp    field_speed_Down
2019/11/13 14:35:09      800        400
2019/11/13 14:37:28       300        200
2019/11/13 14:39:28       400        200"
| eval _raw=replace(raw,"  +",",")
| multikv forceheader=1
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
`comment("this is sample data")`
| table _time field_speedUp field_speed_Down

Hi, check Visualization and Line Chart
To separate _time, use bin command.

View solution in original post

woodcock
Esteemed Legend

Like this:

... | timechart fixedrange=false first(speedup) AS speedup first(speeddown) AS speeddown
0 Karma

buzek
Explorer

thank you woodcock

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval raw="time            field_speedUp    field_speed_Down
2019/11/13 14:35:09      800        400
2019/11/13 14:37:28       300        200
2019/11/13 14:39:28       400        200"
| eval _raw=replace(raw,"  +",",")
| multikv forceheader=1
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
`comment("this is sample data")`
| table _time field_speedUp field_speed_Down

Hi, check Visualization and Line Chart
To separate _time, use bin command.

buzek
Explorer

Thank you. That's exactly what I was looking for.
- michael

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...