Solved: timechart with SLA value

hartfoml · ‎01-16-2013

I would like to create a timechart with an SLA value.

I have tried this search sourcetype=foo | eval sla=50 | timechart span=15m count | table count sla

this did not work reliably.

Can anyone suggest a better way

jonuwz · ‎01-16-2013

This is probably what you need :

search sourcetype=foo | timechart span=15m count | eval sla=50

View solution in original post

jonuwz · ‎01-16-2013

This is probably what you need :

search sourcetype=foo | timechart span=15m count | eval sla=50

MuS · ‎08-06-2013

found one way to be able to drill down with sla line, use the eval before the timechart like this:

… | eval b=50 | timechart values(b) as base count by foo

MuS · ‎07-25-2013

Hi, using this eval after timechart works perfect. But if you create a report view out of it, you are no longer able to drill down -> PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'eval' command

How can this be avoid?

hartfoml · ‎01-18-2013

Thanks Jonuwx

timechart with SLA value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation