0

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Timechart I tried several syntaxes but none is working. they all require aggregate function. My goal is to display a line chart, representing the value of an event field over time. Very simple, I don't need any max/min/sum/count at all. I need the x-axis to be the time span(time range that I passed in as query timespan), every event will be a data point in that chart, y-axis is the value of a field that I choose, for example, fieldA, which is a double value field. how to write my splunk query? search query ...| timechart fieldA? (you don't have to use timechart, any command that can achieve my goal will be accepted)

update: let me try to describe what I wanted using a data generation example: | makeresults count=10 | streamstats count AS rowNumber let's say the time span is last 24 hours, when running above query in splunk, it will generate 10 records data with the same _time field which is @now, and a rowNumber field with values from 1 to 10. what I want to see is a visualization, x-axis starts from (@now-24hours) to @now, and no data points for most of the x-axis, but at last second(the rightmost) I want to see 10 dots, the y-axis values of them is from 1 to 10.

yww325
  • 315
  • 4
  • 12

2 Answers2

0

You do not need to use an aggregate function with timechart. Just about any stats function will do. See https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Timechart#Stats_function_options.

Depending on the nature of your data and what you want to see in the chart any of timechart max(fieldA), timechart latest(fieldA), timechart earliest(fieldA), or timechart values(fieldA) may work for you.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • thank you for the answer, but in my opinion, max/latest/earliest/values(like distinct) are all aggregate functions in a way that they reduced the number from original results. I amended my question by adding an example to describe what I want to see. These functions didn't work for me – yww325 Apr 04 '20 at 22:59
0
| makeresults count=2
| streamstats count
| eval _time=if(count=1,relative_time(_time,"-1d"),_time)
| timechart span=160min count
| streamstats count
| timechart cont=f last(count)

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventorderfunctions

try with time picker all time

they reduced the number from original results.

It depends on how you use it.

Toshihisa Kawamata
  • 7
  • 1
  • If I am right, you're creating two events, one is 24hr before now, the other is now. Then displaying them in a timechart, which connects the two dots. But linechart is not enough to display my case, my case is in certain point of time, there could be multiple dots and I don't want to aggregate them. so I think I don't need and can't see any lines, my graph is more like dots scattered in time. – yww325 Apr 06 '20 at 16:33
  • [Line Chart image](https://imgur.com/a/7Q6ACTj) maybe, your time picker is not `all time` There is 10 results in _Statistics_ . I don't have enough karma. link is _imgur.com_ – Toshihisa Kawamata Apr 07 '20 at 23:16
  • Yes there are 10 results in my example, and they shared the same _time, so I want to see 10 dots with the same x values, can it be drawn? – yww325 Apr 09 '20 at 01:07