Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Specify timestamp display format for timechart axis labels

chendry
Explorer
‎02-14-2011 01:34 PM

Hi everyone,

I want the timestamps for the X-axis labels of a timechart to have the following format:

MM-DD HH:mm

where HH:mm is in 24-h format, M designates month, m designates minute.

Example: "February 14th, 1PM" should look like "02-14 13:00"

Does anyone now how & where this can be configured?

Thanks!

Tags (1)
Reply

chendry
Explorer
‎02-15-2011 09:06 AM

Thanks for your replies -

The proposed method worked:

... | timechart span=1m sum(HTTP_5xx) | fillnull value=0 | rename _time AS Time | eval Time=strftime(Time, "%m-%d %H:%M")

However, using the above search command, the labels on the X-Axis disappear.

This is how chart labels looked before ("bad" timestamp formatting, but proper labels):

alt text

This is how chart labels look now (proper timestamp formatting, but labels not shown):

alt text

I use the following chart formatting option the force label visibility:

          <param name="charting.primaryAxisLabels.majorLabelVisibility">show</param>

However, with the reformatted timestamps, the labels only partly appear (i.e. they are still cut off) when stretching the chart horizontally to ~ 2000 pixels...

Reply

chendry
Explorer
‎02-15-2011 10:12 AM

I guess the cause for this is that after using strftime(), the chart values on the X-Axis are not anymore of type TIME, but CATEGORY. Unfortunately, I think that it is not possible to properly space the major labels for a CATEGORY axis because the param "charting.axisLabelsX.majorUnit" does not seem to exist for category axis type. Does anyone know how to space category labels?

Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 05:24 PM

You can use chart to do the same as timechart:

... | eval Time = strftime(_time, "%m/%d %H:%M") | chart count as Total by Time

And it's easy to format a chart...

EDIT:

Based on gkanapathy's comment, it might be better to implement it like this to ensure proper sorting of the time values:

... | eval Time = _time | chart count as Total by Time span=1h | eval Time=strftime(Time, "%m/%d %H:%M")
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-14-2011 09:43 PM

You should do the chart/timechart, then apply a rename and eval afterwards to solve these issues.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-14-2011 09:39 PM

That won't quite work, as the Time field will not necessarily be sorted in the right order, and furthermore if the data isn't distributed evenly, your time axis won't be even over time. You can use the makecontinuous command to try to overcome the second problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...