Dashboards & Visualizations

How to create a legend on the y-axis to show all dates?

Explorer

Help with time chart on legend(y-axis) instead of x-axis
with time field to show as July 2018 for all June dates

example of original date field values= 7/2/2018
7/7/2018
7/13/2018
8/2/2018

I should also be able to apply time picker options.
NB: Data is from a lookup table

alt text

0 Karma

SplunkTrust
SplunkTrust

@Bentash, please try the following run anywhere search based on Splunk's _internal index.
PS: I have used time format as %Y/%m i.e. 2018/01, 2018/02 etc. to have the String date field sorted. If you can live with this format you will not need the rename commands after that. The rename command changes the same from 2018/01 to Jan 2018 etc.

Transpose command has been used to invert the axis. Also since timechart command is used default timespan related fields i.e. _span* values need to be removed from results.

index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1mon count
| eval _time=strftime(_time,"%Y/%m")
| transpose header_field="_time"
| search column!="_*"
| rename "*/01" as "Jan *"
| rename "*/02" as "Feb *"
| rename "*/03" as "Mar *"
| rename "*/04" as "Apr *"
| rename "*/05" as "May *"
| rename "*/06" as "Jun *"
| rename "*/07" as "Jul *"
| rename "*/08" as "Aug *"
| rename "*/09" as "Sep *"
| rename "*/10" as "Oct *"
| rename "*/11" as "Nov *"
| rename "*/12" as "Dec *"

Please try out and confirm. Also see whether you need Bar chart or Column chart to represent your data. As your total data points will be less you may use bar chart instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

@niketnilay, this did not work and actually returning false results.
I just need to flip the time field and basically this is creating columns for that field and counting the field value for that field.

0 Karma

SplunkTrust
SplunkTrust

What do you mean why false results? Did you run the exact run anywhere search or plug in your base query?

I tested with and without transpose after the timechart command and count remained the same.

alt text

If you are not testing the above run anywhere search can you please paste the query that you have tried. Also with the expected result?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

unfortunately i cannot share my pictures. dont know why but for instance one field has over 18 counts (counted by another field) but when i transpose i get less than that.

0 Karma

Explorer

@niketnilay, this data is from a lookup too so consider _time

0 Karma

SplunkTrust
SplunkTrust

@Bentash could you add a mock screenshot of what you need?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

@niketnilay i added a sketch

0 Karma