Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify timewrap legend?

Clovisa
Path Finder
‎06-26-2018 12:31 AM

Hi ! I am trying to modify the legend generated by the timewrap command. I saw that we could slightly change it with the parameter "series" but it's not really giving me what I want.

Let's say I want to have a sum of prices from this request :

index=sandbox earliest=-13d | timechart sum(prices) as "Sum of the prices" span=d | timewrap 1w series=relative

The legend will be Sum of the prices_1week_before and Sum of the prices_latest_week . I would like to have something like Sum of the prices for the week before and Sum of the prices for the latest week .

How can I get this ? Thanks !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-26-2018 04:20 AM

One option would be to use series="exact" option to provide format for time series i.e.

<yourCurrentSearch>
| timewrap 1w series=exact time_format="Sum of the prices for %Y-%U week"

If you intend to use series="relative", you can use rename command to change series name as required (relative option will generate some generic names as per the series name in the timechart.

<yourCurrentSearch>
| timewrap 1w series=relative
| rename "Sum of the prices_latest_week" as  "Sum of the prices latest week",
         "Sum of the prices_1week_before" as  "Sum of the prices the week before",
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-26-2018 04:20 AM

One option would be to use series="exact" option to provide format for time series i.e.

<yourCurrentSearch>
| timewrap 1w series=exact time_format="Sum of the prices for %Y-%U week"

If you intend to use series="relative", you can use rename command to change series name as required (relative option will generate some generic names as per the series name in the timechart.

<yourCurrentSearch>
| timewrap 1w series=relative
| rename "Sum of the prices_latest_week" as  "Sum of the prices latest week",
         "Sum of the prices_1week_before" as  "Sum of the prices the week before",
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎06-26-2018 05:06 AM

That's perfect, thank you 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...