Hello Everyone!
I have a timechart visualization and I would like to change the order of the number that are in the Y-axis from descendant to ascendant.
As you see in the picture, it goes from 3 - 6 - 9 - 12 and instead I would like something like this 24 - 21 - 18 - 15.
This My query, I tried something like
|sort -"_time"
|sort -"duracion"
index=controlm | eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) by job_member_name limit=20
But neither of those, do what I want.
@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?
1) Simulates your current scenario with Timechart command
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f
2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart.
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse
PS: Since duraction is HH.MM I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)
@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?
1) Simulates your current scenario with Timechart command
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f
2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart.
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse
PS: Since duraction is HH.MM I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)
Hello @chrisyoungerjds!
I was thinking, what if I change the value of the hour for -1. For example:
from 21.00 to 21.59 = -3
from 22.00 to 22.59 = -2,
from 23.00 to 23.59 = -1,
from 00.00 to 00.59 = 0,
index=controlm | eval duracion=strftime(_time,"%H.%M") | eval hora=case(duracion>="23.00" AND duracion<"23.59", "-1",duracion>="00.00" AND duracion<"00.59", "0",duracion>="01.00" AND duracion<"01.59", "1",duracion>="02.00" AND duracion<"02.59", "2") | timechart max(duracion) by job_member_name
So it going to start from the bottom!
But one of the issues that I have here is that is not working that I expect! Because each time it find a number that match the query the other ones disappear.
Could you help me to land my idea please.
Best Regards!
No @chrisyoungerjds I didn't set anything.
Look! Here an example of how does the _time match with the duration field that I created
Thanks a lot for your help @chrisyoungerjds! hehe but doesn't work either.
That query decomposed my data. It supposed that the Y axis is the hour where the event has executed, but with this query it display me another data!
Original Query!
With Suggest Query!
