Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify timewrap legend?

Clovisa
Path Finder
‎06-26-2018 12:31 AM

Hi ! I am trying to modify the legend generated by the timewrap command. I saw that we could slightly change it with the parameter "series" but it's not really giving me what I want.

Let's say I want to have a sum of prices from this request :

index=sandbox earliest=-13d | timechart sum(prices) as "Sum of the prices" span=d | timewrap 1w series=relative

The legend will be Sum of the prices_1week_before and Sum of the prices_latest_week . I would like to have something like Sum of the prices for the week before and Sum of the prices for the latest week .

How can I get this ? Thanks !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-26-2018 04:20 AM

One option would be to use series="exact" option to provide format for time series i.e.

<yourCurrentSearch>
| timewrap 1w series=exact time_format="Sum of the prices for %Y-%U week"

If you intend to use series="relative", you can use rename command to change series name as required (relative option will generate some generic names as per the series name in the timechart.

<yourCurrentSearch>
| timewrap 1w series=relative
| rename "Sum of the prices_latest_week" as  "Sum of the prices latest week",
         "Sum of the prices_1week_before" as  "Sum of the prices the week before",
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-26-2018 04:20 AM

One option would be to use series="exact" option to provide format for time series i.e.

<yourCurrentSearch>
| timewrap 1w series=exact time_format="Sum of the prices for %Y-%U week"

If you intend to use series="relative", you can use rename command to change series name as required (relative option will generate some generic names as per the series name in the timechart.

<yourCurrentSearch>
| timewrap 1w series=relative
| rename "Sum of the prices_latest_week" as  "Sum of the prices latest week",
         "Sum of the prices_1week_before" as  "Sum of the prices the week before",
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎06-26-2018 05:06 AM

That's perfect, thank you 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...