Re: Timewrap and x-axis lables

tmurray3 · ‎12-16-2014

I use the following query to generate a chart to compare the last 4 weeks volume by day/hour.

 index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w| timechart span=1h sum(count) as TotalVolume|timewrap w series=exact

I would like to change the x-axis label values from dates of the current week (e.g. Sun Dec 7 2014, Mon Dec 8 2014...) to the Day of the week (Sun,Mon...).

I tried the following query but no luck:

index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w| timechart span=1h sum(count) as TotalVolume | timewrap w series=exact| eval _time=strftime(_time, "%A")

Thanks in advance for your help!!

carasso · ‎12-16-2014

The timechart UI expects full times, not days of week. If you're willing to lose the hourly details within a day, something like this should work:

index=volume_hourly_summary report="volumebyhour" earliest=-4w@w latest=@w | timechart span=1d sum(count) as TotalVolume | timewrap w series=exact| eval time=strftime(_time, "%A") | fields - _time | table time *

(note, this removes _time and uses 'time', and I replaced 1h with 1d)

You might have to sort the days of the week.

Timewrap and x-axis lables

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation