Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

plotting date versus time chart

usha_nittala
New Member
‎05-12-2014 03:41 AM

Hi ,
I have a requirement to present a report to show three jobs and what time they start every day.

Eg: 

                abc           xyz           lmn
05/10/14        21:30         21:30         21:40
05/11/14        21:35         21:45         21:40
05/12/14        21:30         22:00         21:50

All these three jobs run everyday so I want to plot time when they started as the time might differ for each job everyday.

Tags (2)
0 Karma
Reply

harshavrath
Contributor
‎05-13-2014 10:53 PM

Hi,

The output is in EPOCh(Unix)Time you can convert it by using |fieldformat NEW_Field=strftime(date/Time_field."%d-%m-%Y %H: %M: %S")

0 Karma
Reply

somesoni2
Revered Legend
‎05-14-2014 08:31 AM

For visualization you need numeric data for y axis, here the time is string.

0 Karma
Reply

usha_nittala
New Member
‎05-14-2014 03:49 AM

I tried this way and got the chart:
| inputcsv mytest.csv| search JOB_NAME="jobstart1" | eval actual=strftime(strptime(ACT_TIME,"%H.%M"),"%H:%M") | chart first(actual) over JOB_DATE by JOB_NAME
and got output like this:
JOB_DATE jobstart1

03/18/2014 21:35

03/19/2014 21:30

03/20/2014 21:45

when I am trying to see the visualization in splunk using line chart.Its not showing anything.. It should show three seperate line as date is on x -axis and time is on y-axis.

Where am I going wrong?

0 Karma
Reply

usha_nittala
New Member
‎05-13-2014 10:22 PM

Thanks for the answer.

I have already tried something like this:

| inputcsv mytest.csv | search JOB_NAME="jobstart1" | eval actual=round(strptime(ACT_TIME,"%H.%M"),0) | chart last(actual) over JOB_DATE by JOB_NAME

Its giving me output in this format:

JOB_DATE jobstart1

03/18/2014 1400031300

03/19/2014 1400031900

03/20/2014 1400031600

This giving me time in wierd format.1400031300

How to convert this time to readable format i.e 1400031300 should be 21:35

Thanks,
Usha

0 Karma
Reply

somesoni2
Revered Legend
‎05-12-2014 05:23 AM

If you have fields like _time (job run date time) and job_name, then try this:

you base search giving _time, job_name | eval Date=strftime(_time,"%d/%m/%y") | eval Time=strftime(_time,"%H:%M") | chart first(Time) over Date by job_name
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...