Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart

mm12
Explorer
‎11-26-2021 09:22 AM

Hi,

I am just taking the total count of incident using stats command form the json and the query is working fine. But when I using timechart command it is not giving me the visualization. Please anyone help me on this.

index=incident_index  source="/mi_data/dc_in_events.json" | spath path=Incident__Number output=INC | stats values(*) as * by INC | stats count(Incident__Number)

Thanks

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 10:52 AM

How are you trying to add timechart to this search?

You're already doing stats and getting a single number so there is nothing to make timechart from.

BTW, you calculate stats values(*) but then only use one of those fields. Instead of doing all this, just doing

| stats dc(Incident_Number)

Instead of both stats would be enough.

About the timechart - it's not clear what you want to do. Can you explain it?

0 Karma
Reply

mm12
Explorer
‎11-26-2021 01:15 PM

@PickleRick - I am using below query for time chart instead of stats command but it is not working.

index=incident_index  source="/mi_data/dc_in_events.json" | spath path=Incident__Number output=INC | stats values(*) as * by INC | timechart count 

Thanks

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 02:11 PM

Well, if you do your stats, you lose the _time field because you're aggregating data over values of INC. You might have a multivalued field containing all values of _time in one row but that's just one row, so there's no basis for timechart.

What do you want to chart? Tell us with your own words, not with SPL.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...