Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on X axis date truncated with a scheduled search

jip31
Motivator
‎03-02-2021 10:31 PM

Hello

 

I have an issue on the X axis of my timechart

As you can see in my xml file, I use a scheduled search in order to display the timechart on the last 30 days

But considering that today it's the 3 of March, Splunk display the data between the 3 of February and the 3 of March. It's not a problem for me but the real problem is that on my X axis I have the 1 of Februray and the 2 of February empty because in this case Splunk calculate 30 days considering there is just 28 days in February (please see my screenshot)

So, what is the solution :

1) for displaying a line chart on a 30 days period (so between the 1 of February and the 2 of March)

2) Or to avoid to habe the 1 of February and the 2 of February displayed considering that Splunk display the line chart between the 3 of February and the 3 of March

Thanks

 

 

 

 

 <query>| loadjob savedsearch="admin:SA_WXCV_sh:Performances - Boot trend" 
| timechart span=1d eval(round(avg(BootTime)/1000,0)) as "Boot time" 
| eventstats avg("Boot time") as Average 
| eval Average=round(Average,0)</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.text">Date</option>
        <option name="charting.axisTitleY.text">Boot time (Average in seconds)</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fontColor">#000000</option>
        <option name="height">400</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.chart.overlayFields">Average</option>
        <option name="charting.fieldColors">{"Boot time": 0x639BF1, "Average":0xFF5A09}</option>
        <option name="charting.fieldDashStyles">{"Boot time":"solid"}</option>
        <option name="charting.lineWidth">4px</option>
      </chart>

 

 

 

Screenshot

https://www.cjoint.com/c/KCdgGtebT5h

 

Tags (1)
0 Karma
Reply

jip31
Motivator
‎03-03-2021 09:22 PM

Is anybody can help please?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2021 12:01 AM

Does the data exist in your saved report or is only 3rd Feb to 3rd Mar being returned?

0 Karma
Reply

jip31
Motivator
‎03-03-2021 12:25 AM

data exists for average field for 1 and 2 of February but not for boot time field

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2021 12:31 AM

Can you fix the saved search so that the missing boot time data is returned?

0 Karma
Reply

jip31
Motivator
‎03-03-2021 12:54 AM

I dont know how to do it, reason why I posted this question....

When I execute the search directly in my dashboard, I have data on the last 30 days (1 February to 3 March)

But when I use the saved search I have only data between 3 February and 3 March

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...