Timewrap and x-axis lables

tmurray3 · ‎12-16-2014

I use the following query to generate a chart to compare the last 4 weeks volume by day/hour.

 index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w| timechart span=1h sum(count) as TotalVolume|timewrap w series=exact

I would like to change the x-axis label values from dates of the current week (e.g. Sun Dec 7 2014, Mon Dec 8 2014...) to the Day of the week (Sun,Mon...).

I tried the following query but no luck:

index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w| timechart span=1h sum(count) as TotalVolume | timewrap w series=exact| eval _time=strftime(_time, "%A")

Thanks in advance for your help!!

carasso · ‎12-16-2014

The timechart UI expects full times, not days of week. If you're willing to lose the hourly details within a day, something like this should work:

index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w | timechart span=1d sum(count) as TotalVolume | timewrap w series=exact| eval time=strftime(_time, "%A") | fields - _time | table time *

(note, this removes _time and uses 'time', and I replaced 1h with 1d)

You might have to sort the days of the week.

Timewrap and x-axis lables

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1