Dashboards & Visualizations

How to format X axis label in the timechart?

arjit
Path Finder

Hi All, 

I am running a below query: 

index=xyz sourcetype=abc  | dedup _raw| timechart span=1m count 

and what I could see is that the label in the X-axis is always in the below format: 

arjit_0-1611020398601.png

timechart below: 

arjit_0-1611021260314.png

We want date parameter before the month (in AU format) which will be Tue 19 Jan 2021. 

Inspite of using Strftime or fieldformat, I am not able to change this label format.  Can anybody please help me out on this? 

@woodcock : Hi woodcock! I remember you responded to a query in a similiar lines sometime before, but I wasn't able to find that response now.. Need your inputs please !

Please do let me know in case of any queries 

Thanks 

AG.

 

 

 

Labels (1)
0 Karma
1 Solution

renjith_nair
Legend

Try ,

timechart span=1m count |convert timeformat="%a %d %m %Y %H:%M:%S" ctime(_time) AS time | fields - _time | fields time,*

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

Try ,

timechart span=1m count |convert timeformat="%a %d %m %Y %H:%M:%S" ctime(_time) AS time | fields - _time | fields time,*

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

arjit
Path Finder

@renjith_nair  Thanks Renjith! But I am not getting any label  in the x axis now after this query 😞 

arjit_0-1611043225372.png

 

0 Karma

renjith_nair
Legend

renjith_nair_0-1611047592776.png

This is my sample search

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

arjit
Path Finder

@renjith_nair Thanks Renjith for this.  Yeah this is working when the time span chosen is less (say for 30 mins or so).. The problem what I am facing here is that I have to show the timechart for entire day and time span chosen is 5 mins. So what happens is if the X-axis label is long (as in this case for e.g. Tue 19 01 2021 16:50:00), it wont display it in the x - axis. But when we allow the timechart to choose default _time option, it shows the labels properly. So are you aware if there is an option to change the timechart using XML option without changing the search query?  

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...