Re: How to display all months (irrespective of dat...

ManoDavidson · ‎05-03-2018

Hi,
I'am relatively new to splunk and exploring Timechart.
I want to display a stacked bar chart which will have count of "state" (for eg: closed, completed,etc) stacked on x-axis on over another.
The x-axis will have all the all the months, irrespective of data present for that month as shown in below image.
[ query:

| eval _time = strptime(opened_at,"%d/%m/%Y")
| timechart count(state) as Value by state
| eval Time=strftime(_time, "%b %Y")
]

But i want to display all the months here and hence i used below query to display all the months, but im unable to reproduce the stacked bars for unknown reasons.
[query:
| eval _time = strptime(opened_at,"%d/%m/%Y")
| timechart count(state) as Value by state
| eval Time=strftime(_time, "%b %Y")
| table Time,Value
]

kindly help

xpac · ‎05-03-2018

Hey, try using | timechart span=1mon - then timechart will not automatically determine which time slots to group, but will build one per month.

ManoDavidson · ‎05-04-2018

Hi xpac,
I tried the same, but I am still getting an empty timechart like the second image i shared.

How to display all months (irrespective of data present for that particular month) on the X-axis when using timechart.

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector