Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I add timescale for x-axis to chart

john_howley
Path Finder
‎05-07-2015 01:53 AM

I have the following query which produces a chart that only shows TIME as the x-axis label and doesn't show the times themselves on the axis - I would like to add that. according to the chart reference there is timescale option, but I have been unable to get that to work.
Note: the startdate and enddate fields are taken from input boxes.
|dbquery "MassPayPrimary" [stats count | head 1| eval startdate = 155051341 | eval enddate = 1550515 | eval sqlstr = "\"select a.msgsubtype, substr(a.time_stamp,12,8) as Time, a.msg_status, count (*) as NUMBER_PROCESSED from table a where a.IIFIS > '%startdate%' and a.IIFIS < '%enddate%' and a.msg_status = 'COMPLETE' AND a.msgsubtype IS NOT NULL group by msgsubtype, substr(atime_stamp,12,8), a.msg_status order by substr(a.time_stamp,12,8) asc\"" | eval sqlstr = replace(sqlstr, "%startdate%", startdate) | eval sqlstr = replace(sqlstr, "%enddate%", enddate) | return $sqlstr] | chart max(NUMBER_PROCESSED) by TIME, MSGSUBTYPE | fillnull

If I try to convert to timechart it complains that MSGSUBTYPE is not valid.

Tags (1)
0 Karma
Reply

john_howley
Path Finder
‎05-27-2015 03:55 AM

As additional info to the question I noted that the series data count went over the 1000 maximum. i tried re-configuring limit to see if that would help, but it didn't. I also tried to restirct the number of events being returned to below 1000 - again that made no difference. Also the field that TIME is being extracted from is just a text field not a date field so I wondered if that had any impact on it. I did try converting to a date but again that didn't help.

0 Karma
Reply

DaveAsh
Engager
‎05-13-2015 10:37 AM

Hi John,
I am certain someone else may have a better idea about this, but figured you still didn't have an answer in 6 days so I would take a shot at part of the question.
Normally I have had issues with timechart being case sensitive. The field in your query where you are grouping is by msgsubtype and then you try to timechart with MSGSUBTYPE might be causing the field is not valid. If I change the field case I always end up with a chart that just contains nulls.
So, like I said I am sure there are others out there that have different idea's that will help but perhaps this will start a dialog.
-Dave

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...