×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
abake
Engager
Member since: ‎12-04-2016
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎12-04-2016
Activity Feed
View All

Re: How to create a time chart using multiple cust...

by in Splunk Search
‎12-05-2016 02:28 PM
‎12-05-2016 02:28 PM
Thanks for your help. Unfortunately using this query I still get results arbitrarily out of the date range. Regardless of what the picker is set to I get results as far back as December in the chart. However, I've amended by original search to include the new tokens. This seems to work - mostly. The only issue I'm having now is that the tokens don't seem to update correctly - the search seems to use whatever the picker was last set to. ... View more

How to create a time chart using multiple custom t...

by in Splunk Search
‎12-04-2016 10:00 PM
1 Karma
‎12-04-2016 10:00 PM
1 Karma
I'm trying to chart two different things in the same graph using two different custom time fields. It almost works (the graph shows up), however, the time range picker seems to be mangling things a bit. Even though eval is overwriting _time for the timechart function, the initial search is still searching based on initial _time value, and is therefore not returning accurate results. Needless to say, when I try to timechart this, it's a bit of a mess. No matter what I do, it seems that the search returns data from as far back as a year (possibly the entire data set). index=* | eval CloseTime=strptime('Closed Date Time',"%d/%m/%Y %I:%M:%S %p") | where CloseTime>relative_time(CloseTime, "$timepicker.earliest$") | eval _time=CloseTime | timechart count AS Closed span=1d | appendcols [ search index=* | eval CreateTime=strptime('Created Date Time',"%d/%m/%Y %I:%M:%S %p") | where CreateTime>relative_time(CreateTime, "$timepicker.earliest$") | eval _time=CreateTime | timechart count AS Created span=1d ] ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All