Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on X axis date truncated with a scheduled search

jip31
Motivator
‎03-02-2021 10:31 PM

Hello

 

I have an issue on the X axis of my timechart

As you can see in my xml file, I use a scheduled search in order to display the timechart on the last 30 days

But considering that today it's the 3 of March, Splunk display the data between the 3 of February and the 3 of March. It's not a problem for me but the real problem is that on my X axis I have the 1 of Februray and the 2 of February empty because in this case Splunk calculate 30 days considering there is just 28 days in February (please see my screenshot)

So, what is the solution :

1) for displaying a line chart on a 30 days period (so between the 1 of February and the 2 of March)

2) Or to avoid to habe the 1 of February and the 2 of February displayed considering that Splunk display the line chart between the 3 of February and the 3 of March

Thanks

 

 

 

 

 <query>| loadjob savedsearch="admin:SA_WXCV_sh:Performances - Boot trend" 
| timechart span=1d eval(round(avg(BootTime)/1000,0)) as "Boot time" 
| eventstats avg("Boot time") as Average 
| eval Average=round(Average,0)</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.text">Date</option>
        <option name="charting.axisTitleY.text">Boot time (Average in seconds)</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fontColor">#000000</option>
        <option name="height">400</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.chart.overlayFields">Average</option>
        <option name="charting.fieldColors">{"Boot time": 0x639BF1, "Average":0xFF5A09}</option>
        <option name="charting.fieldDashStyles">{"Boot time":"solid"}</option>
        <option name="charting.lineWidth">4px</option>
      </chart>

 

 

 

Screenshot

https://www.cjoint.com/c/KCdgGtebT5h

 

Tags (1)
0 Karma
Reply

jip31
Motivator
‎03-03-2021 09:22 PM

Is anybody can help please?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2021 12:01 AM

Does the data exist in your saved report or is only 3rd Feb to 3rd Mar being returned?

0 Karma
Reply

jip31
Motivator
‎03-03-2021 12:25 AM

data exists for average field for 1 and 2 of February but not for boot time field

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2021 12:31 AM

Can you fix the saved search so that the missing boot time data is returned?

0 Karma
Reply

jip31
Motivator
‎03-03-2021 12:54 AM

I dont know how to do it, reason why I posted this question....

When I execute the search directly in my dashboard, I have data on the last 30 days (1 February to 3 March)

But when I use the saved search I have only data between 3 February and 3 March

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...