topic Re: Time of Day on Y Axis in Splunk Search

Time of Day on Y Axis

jstockamp — Mon, 28 Sep 2020 15:24:38 GMT

I'm trying to create a chart that has the time of day on the y axis. I have a results table that looks like this:

Database      Time_of_Day
db_1          10:00
db_2          10:05
db_3          13:30

If I do a "chart max(Time_of_Day) by Database" I see results in the results table but nothing in any of the chart types. What am I missing here? How do I tell splunk to use a time scale for the Y axis?

Re: Time of Day on Y Axis

somesoni2 — Mon, 28 Sep 2020 15:24:43 GMT

What are the values you get (as table) after your chart command? does it shows Time_Of_Day as epoch time (decimal number)?

Re: Time of Day on Y Axis

Simon_Fishel — Wed, 04 Dec 2013 04:50:54 GMT

What does your raw data look like? The best way to get time charts in Splunk is to generate some events with extracted timestamps and then use the "timechart" search command.

Re: Time of Day on Y Axis

lguinn2 — Wed, 04 Dec 2013 05:02:49 GMT

The problem that I see here is that there is no truly "graphable" data in your output.

You cannot tell Splunk to use a time-scale on the Y axis. At least not for chart or timechart: by definition, the Y axis must be the numeric result of one of the chart or timechart functions, and none of them return time values. max(Time_of_Day) will work only if Time_of_Day is numeric - otherwise it returns null values.

You could do something like this

yoursearchhere
| timechart span=30m count by Database

which will graph the count of events attributable to each database.

You might also look at the xyseries command, but I am not sure that it will do what you want, either...