Dashboards & Visualizations

Set X-Axis Range for Timechart

cinimins
Explorer

 

 

Hi,

I have a dashboard with time picker and a dummy search to transform relative timestamps to absolute timestamps:

 

<search>
  <query>| makeresults</query>
  <earliest>$time.earliest$</earliest>
  <latest>$time.latest$</latest>
  <progress>
    <eval token="timeEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
    <eval token="timeLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
  </progress>
</search>

 

Next, I have a chart querying something using the timepicker from the form. Per default, the chart will automatically adjust the X-Axis to the results found, not the entire searched timespan. I want to change this behavior and tried setting chart.axisX to the absolute timestamp values, but it doesn't seem to work. Is there something that I am missing?

 

<chart depends="$timeEarliest$,$timeLatest$">
  <search>
    <query>... | chart count OVER _time BY some_field</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <option name="charting.axisX.minimumNumber">$timeEarliest$</option>
  <option name="charting.axisX.maximumNumber">$timeLatest$</option>
  <option name="charting.chart">column</option>
</chart>

 

 

 

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The timechart command will produce zero results that pad the X-axis and should give the desired results.

<chart depends="$show_chart_terminations$,$timeEarliest$,$timeLatest$">
  <search>
    <query>... | timechart count BY some_field</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <option name="charting.axisX.minimumNumber">$timeEarliest$</option>
  <option name="charting.axisX.maximumNumber">$timeLatest$</option>
  <option name="charting.chart">column</option>
</chart>

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The timechart command will produce zero results that pad the X-axis and should give the desired results.

<chart depends="$show_chart_terminations$,$timeEarliest$,$timeLatest$">
  <search>
    <query>... | timechart count BY some_field</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <option name="charting.axisX.minimumNumber">$timeEarliest$</option>
  <option name="charting.axisX.maximumNumber">$timeLatest$</option>
  <option name="charting.chart">column</option>
</chart>

 

---
If this reply helps you, Karma would be appreciated.

cinimins
Explorer

Thank you, that makes total sense! 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...