Help with time chart on legend(y-axis) instead of x-axis
with time field to show as July 2018 for all June dates
example of original date field values= 7/2/2018
I should also be able to apply time picker options.
NB: Data is from a lookup table
@Bentash, please try the following run anywhere search based on Splunk's _internal index.
PS: I have used time format as
%Y/%m i.e. 2018/01, 2018/02 etc. to have the String date field sorted. If you can live with this format you will not need the rename commands after that. The rename command changes the same from
Jan 2018 etc.
Transpose command has been used to invert the axis. Also since timechart command is used default timespan related fields i.e.
_span* values need to be removed from results.
index=_internal sourcetype=splunkd log_level!="INFO" | timechart span=1mon count | eval _time=strftime(_time,"%Y/%m") | transpose header_field="_time" | search column!="_*" | rename "*/01" as "Jan *" | rename "*/02" as "Feb *" | rename "*/03" as "Mar *" | rename "*/04" as "Apr *" | rename "*/05" as "May *" | rename "*/06" as "Jun *" | rename "*/07" as "Jul *" | rename "*/08" as "Aug *" | rename "*/09" as "Sep *" | rename "*/10" as "Oct *" | rename "*/11" as "Nov *" | rename "*/12" as "Dec *"
Please try out and confirm. Also see whether you need
Bar chart or
Column chart to represent your data. As your total data points will be less you may use bar chart instead.
@niketnilay, this did not work and actually returning false results.
I just need to flip the time field and basically this is creating columns for that field and counting the field value for that field.
What do you mean why false results? Did you run the exact run anywhere search or plug in your base query?
I tested with and without transpose after the timechart command and count remained the same.
If you are not testing the above run anywhere search can you please paste the query that you have tried. Also with the expected result?