Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

plotting date versus time chart

usha_nittala
New Member
‎05-12-2014 03:41 AM

Hi ,
I have a requirement to present a report to show three jobs and what time they start every day.

Eg: 

                abc           xyz           lmn
05/10/14        21:30         21:30         21:40
05/11/14        21:35         21:45         21:40
05/12/14        21:30         22:00         21:50

All these three jobs run everyday so I want to plot time when they started as the time might differ for each job everyday.

Tags (2)
0 Karma
Reply

harshavrath
Contributor
‎05-13-2014 10:53 PM

Hi,

The output is in EPOCh(Unix)Time you can convert it by using |fieldformat NEW_Field=strftime(date/Time_field."%d-%m-%Y %H: %M: %S")

0 Karma
Reply

somesoni2
Revered Legend
‎05-14-2014 08:31 AM

For visualization you need numeric data for y axis, here the time is string.

0 Karma
Reply

usha_nittala
New Member
‎05-14-2014 03:49 AM

I tried this way and got the chart:
| inputcsv mytest.csv| search JOB_NAME="jobstart1" | eval actual=strftime(strptime(ACT_TIME,"%H.%M"),"%H:%M") | chart first(actual) over JOB_DATE by JOB_NAME
and got output like this:
JOB_DATE jobstart1

03/18/2014 21:35

03/19/2014 21:30

03/20/2014 21:45

when I am trying to see the visualization in splunk using line chart.Its not showing anything.. It should show three seperate line as date is on x -axis and time is on y-axis.

Where am I going wrong?

0 Karma
Reply

usha_nittala
New Member
‎05-13-2014 10:22 PM

Thanks for the answer.

I have already tried something like this:

| inputcsv mytest.csv | search JOB_NAME="jobstart1" | eval actual=round(strptime(ACT_TIME,"%H.%M"),0) | chart last(actual) over JOB_DATE by JOB_NAME

Its giving me output in this format:

JOB_DATE jobstart1

03/18/2014 1400031300

03/19/2014 1400031900

03/20/2014 1400031600

This giving me time in wierd format.1400031300

How to convert this time to readable format i.e 1400031300 should be 21:35

Thanks,
Usha

0 Karma
Reply

somesoni2
Revered Legend
‎05-12-2014 05:23 AM

If you have fields like _time (job run date time) and job_name, then try this:

you base search giving _time, job_name | eval Date=strftime(_time,"%d/%m/%y") | eval Time=strftime(_time,"%H:%M") | chart first(Time) over Date by job_name
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...