topic Re: Scatter Plot for time x-axis and numbered Y axis in Splunk Search

Scatter Plot for time x-axis and numbered Y axis

howardroark — Tue, 29 Sep 2020 14:52:38 GMT

I am looking to plot scatter plot to show all the data points in a particular time. Some how I am not able to get around it.
I tried using this:
..|eval time = _time | table time time_taken
This gives me the scatter plot with all the data points but the time displays in epoch.

Can i get a work around for this or a new method to get time in correct timestamp format.

Thanks.

Re: Scatter Plot for time x-axis and numbered Y axis

woodcock — Sat, 15 Jul 2017 20:42:00 GMT

First of all, the eval time=_time should really be rename _time AS time but even so, that part is exactly your problem. The _time field is very special. It is actually an epoch but it has a fieldformat automatically applied to it based on your region/preference settings to make it human-readable. Many of the built-in Splunk visualizations ( particularly the Line Chart and Area Chart ) treat _time in a special way and if you use the same value but with a different field name, these will behave very differently. What is wrong with this?

| table _time time_taken

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Sat, 15 Jul 2017 22:33:53 GMT

I need a scatter plot! Thats the whole idea!

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Sun, 16 Jul 2017 23:37:23 GMT

To make the display of the field be in something human readable, use fieldformat.

..
| eval time = _time 
| fieldformat time = strftime(time, "%H:%M:%S")
| table time time_taken

Of course, that just does Hours:Minutes:Seconds. If you need full dates you can use "%y-%m-%d %H:%M%:%S". Or day plus time could be "%d %H:%M%:%S" or .... well, I think you get the idea.

Let us know how it goes!

Happy Splunking,
Rich

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Mon, 17 Jul 2017 13:14:27 GMT

This does not give me a scatter plot

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Tue, 29 Sep 2020 14:53:08 GMT

Could you elaborate on what it doesn't do? You wrote in the original post

..|eval time = _time | table time
time_taken This gives me the scatter
plot with all the data points but the
time displays in epoch.

Which implied you had a scatter plot, but just didn't have the format of the time sorted out.

What else is wrong?

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Mon, 17 Jul 2017 14:38:43 GMT

Yes I have the scatterplot with my code. But after using your code the scatter plot chart has all the values at 0. and the x axis is not time any more it is some number 20,30,40,50

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Tue, 29 Sep 2020 14:55:26 GMT

My code is nothing but the same code given in the question |eval time = _time | table time time_taken.. this when switched to scatter plot chart gives you all the individual data points. But the x axos changes to epoch

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Mon, 17 Jul 2017 19:11:12 GMT

You are right. Scatter charts don't seem to behave the same...

Usually you can fieldformat that stuff - it doesn't affect that the value is still in epoch, but it change the display of that field to be more human friendly.

In this case, the scatter chart doesn't work.

We're looking into it on Slack right now, digging around. Your question has been brought to the attention of others and we'll see if we can figure out if this is a bug or if there's a workaround.

Re: Scatter Plot for time x-axis and numbered Y axis

MattZerfas — Mon, 17 Jul 2017 20:09:00 GMT

This won't work for long duration's of time but it might get what you need if you are looking at a few hours or less.

 index=_internal 
| timechart count 
| eval time=_time 
|table  time count 
| fieldformat time=strftime(time, "%Y%m%d%H%M%S")

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Mon, 17 Jul 2017 20:12:03 GMT

I am looking at data at a span of months, even years.

Re: Scatter Plot for time x-axis and numbered Y axis

MattZerfas — Mon, 17 Jul 2017 20:28:55 GMT

How granular or you wanting the data to show?

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Mon, 17 Jul 2017 20:31:38 GMT

The data is granular upto seconds.

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Mon, 17 Jul 2017 20:39:39 GMT

its basically the raw data i want to show. 'as is'

Re: Scatter Plot for time x-axis and numbered Y axis

MattZerfas — Mon, 17 Jul 2017 20:43:55 GMT

You are probably better off using a 3rd part viz to display that data then. Splunk native viz isn't the greatest at displaying large amounts of data points. Maybe look at importing a https://d3js.org/ chart?

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Thu, 20 Jul 2017 01:09:43 GMT

A ticket has been opened. I think I may have now convinced support there's a real problem here. I will post back what I find.

Re: Scatter Plot for time x-axis and numbered Y axis

howardroark — Thu, 20 Jul 2017 01:12:29 GMT

Thanks rich! This is really appreciated!

Re: Scatter Plot for time x-axis and numbered Y axis

murakoshi — Fri, 24 Aug 2018 09:03:04 GMT

Scatter Chart is suitable for numerical expression on the X axis, not suitable for expressing rich time.
Therefore, I recommend using a Line Chart to try it.

１． Insert Null under each row of your table.

Example:

<base search>
| stats values(Y_Value) as Y_Value by _time,Status
| eval {Status}=Y_Value 
| append 
    [ search <base search> 
    | stats values(Y_Value) as Y_Value by _time,Status
    | eval Y_Value =null
        ] 
| sort 0 _time,Status
| fields - Y_Value ,Status

２． Set the graph as follows.

Graph: Line Chart
Setting: format> General> Null Values> select [Gaps]

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Fri, 24 Aug 2018 13:12:04 GMT

Nice workaround, @murakoshi.

For what it's worth, there is now an Enhancement Request (SPL-152883) in place to make Scatterchart work with time. For some reason, they decided this behavior wasn't actually a bug but still needed fixing some day.

Re: Scatter Plot for time x-axis and numbered Y axis

Richfez — Fri, 24 Aug 2018 13:13:15 GMT

Sorry for having forgotten to update this!

Splunk support decided this behavior isn't actually a bug. There is now an Enhancement Request (SPL-152883) in place to make Scatterchart work with time.

Which means - maybe some day it'll work?