Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

displaying chart

shreeCS
New Member
‎09-11-2013 11:38 PM

Hi,

I have csv file uploaded on to splunk.Here is the sample entries 

Intime Outtime
8:33  17:39
8:38  17:40
8:33  19:28
8:32  17:37

Here i created calculated field which gives the difference between Intime and outtime.
Expected output is 

Intime Outtime  durationHrs
8:33  17:39      9.100
8:38  17:40      9.033
8:33  19:28      10.19
8:32  17:37      9.083

The query is given below : 

host="abc" | convert mstime(Outtime) AS otime | convert mstime(Intime) AS itime |eval durationHrs=(otime - itime)/60 | Timechart count by durationHrs

Here i want to generate a chart in such a way that my Y-axis should be durationHrs and X-axis should be time but in the above query,in Y-axis i'm getting count not the durationHrs values.
How this can be done? Do we need to use different function other than count in a timechart,if yes what needs to be used/done?

Thank you

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-12-2013 12:44 AM

Hi shreeCS

well timechart has time on the X-axis by default. Your problem is that you count the numbers of events that contain a field named durationHrs, instead of displaying the values of this field.
To achieve what you want, change your search to something like this:

 host="abc" | convert mstime(Outtime) AS otime, mstime(Intime) AS itime |eval durationHrs=(otime - itime)/60 | timechart values(durationHrs) AS myDuration

hope this helps.....

cheers, MuS

0 Karma
Reply

shreeCS
New Member
‎09-12-2013 01:41 AM

Hi MuS,Whatever you suggested is working fine.
Thanks!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...