Re: Regarding implementation of Calendar visualiza... - Page 2

accgarima · ‎02-16-2017

I have a requirement where I have four fields :
1. AverageValue (of a month for some parameter A)
2. ActualValue (on each date for that month for the parameter A)
3. DeviationValue (AverageValue-ActualValue/Average Value --> on each date for the month)---> this field will be color coded based on the devation percentage
4. Each Date for the month with ActualValue

For example say for the month of february the average value is 5:

AverageValue ActualValue DeviationValue(%) Date

5 8 -60 02/06/2017
5 7 -40 02/08/2017
5 9 -80 02/10/2017

I want to display the Deviation value with the color coding in the Calendar Visualization for each month (in this example say February).

I know we need to use time chart command , but some how I am not getting the output . Please help.

duraij · ‎08-21-2017

Hi,

I was able to create the calendar heatmap visuvalization but havig difficulty with the accurate display.

convert ctime(DATE),timeformat="%Y-%m-%d" |eval BankCTime=case(BankCTime>="0" AND BankCTime<="13.30","0", BankCTime>="13.30" AND BankCTime<="14.00","1", BankCTime>"14.00" AND BankCTime>="14.01","2")   |eval GCTime=case(GCTime>="0" AND GCTime<="15.0","0",GCTime>="15.01" AND GCTime<="15.30","1", GCTime<="15.30" AND GCTime>="15.31","2")|eval _time=strptime(DATE,"%Y-%m-%d")|timechart span=1d max(BankCTime) as IBTime values(GCTime) as GCTime

When I select Statistic visualization, the data is all correct, but when I select the Calendar Visualization for the same, I see that the Friday's data is listed for Thursday and Monday data is listed as Sunday's. I am not sure about this shift of data. Please help.

niketn · ‎08-21-2017

Can you add screenshots from stats and visualization tabs? Most likely this would be happening due to User's Time Zone. On the top Splunk Bar next to Messages click on the User Name and choose Account Settings. Under the Global section select the TimeZone as per the need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎09-13-2017

@duraji, I have converted one of my comments to Answer, since there were so many answers in the discussion requesting you to accept the answer once your issue is resolved and also up-vote the comments that have helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎02-17-2017

Can you give timechart command you are using are you computing AverageValue ActualValue and Deviation value using the final timechart command or using stats/eval prior to that?

In case you already have computed average Actual and Deviation prior to the timechart then based on the number of buckets per day for a month you might have to use values() or min() or max() or any other suitable command.

For the deviation percent field, make sure it is numeric field to be plotted.

Are you using Calendar Heat Map custom visualization or using JS/CSS extension?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

duraij · ‎07-12-2017

Hi I have the same issue I am trying to display my output in calendar Visualization and I am using timechart command but I dont get any output eventhough I get results for the same query when I use chart or table command.Please help.
My query looks like this "index=""|eval BankCTime=strptime(BankClose, "%Y-%m-%d %H:%M:%S") | convert ctime(BankCTime),timeformat="%H"|eval GCTime=strptime(GC, "%Y-%m-%d %H:%M:%S") |convert ctime(GCTime),timeformat="%H"|fields COBDATE BankCTime GCTime|timechart span=1d count(GCTime) by COBDATE"
Data:
COBDATE BankCTime GCTime
20160701 14.15 13.12
20160702 13.10 15.16

Please help.Thanks

niketn · ‎07-13-2017

@duraji, I have cleaned up your query based on data necessary for your final timechart (since everything else will anyways be removed after timchart command)

<Your Base Search>
| eval _time=strptime(COBDATE,"%Y%m%d")
| timechart span=1d count(GC)

As per sample data COPDATE will be YYYYMMDD format based upon which you want to plot timechart. Please try out and let me know if it works.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

duraij · ‎07-13-2017

Hi ,
Thanks for the reply ,but no this doesn't give me any results. I want to display fields "BankCTime" and "GCTime" (these are eventime fields and I have extracted only hours.minutes for these fields) in CalendarHeatMap Visualization.So it should be COBDATE(_time) against GCTime(13.12-hour.minute) and BankCTime(14.12-hour.minute).

niketn · ‎07-13-2017

Your working query in your example had following as the final pipe

| timechart span=1d count(GCTime) by COBDATE, which implies you are doing count of GCTime by COBDATE. I had filtered query according to the same. With Calendar Heat Map you can split visuals by COBDATE or something else in the by clause.

I dont think your current data qualifies for a visualization through Calendar Heat Map. Can you mock the desired output screenshot?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

duraij · ‎07-17-2017

Hi,
My intention is to display green or Red color in the calendarHeatmap fro each date according to the range of the BankCtime and GCTime for e.g if BankCtime is between the range( 13.15 to 14.15 -Display in Green ) or (15.15to 15.30 -Orange) or (16.00 to 16.30 -Red).Please let me know how I can achieve this.
DATE BankCTime GCTime ResultBankCtime ResultGCTime
20160701 14.15 13.12 Green Orange

20160702 13.10 15.16 Red Green

duraij · ‎07-19-2017

Hi Please let me know how I can achieve the above I am still having difficulty.

Thanks

Regarding implementation of Calendar visualization

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!