Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I add timescale for x-axis to chart

john_howley
Path Finder
‎05-07-2015 01:53 AM

I have the following query which produces a chart that only shows TIME as the x-axis label and doesn't show the times themselves on the axis - I would like to add that. according to the chart reference there is timescale option, but I have been unable to get that to work.
Note: the startdate and enddate fields are taken from input boxes.
|dbquery "MassPayPrimary" [stats count | head 1| eval startdate = 155051341 | eval enddate = 1550515 | eval sqlstr = "\"select a.msgsubtype, substr(a.time_stamp,12,8) as Time, a.msg_status, count (*) as NUMBER_PROCESSED from table a where a.IIFIS > '%startdate%' and a.IIFIS < '%enddate%' and a.msg_status = 'COMPLETE' AND a.msgsubtype IS NOT NULL group by msgsubtype, substr(atime_stamp,12,8), a.msg_status order by substr(a.time_stamp,12,8) asc\"" | eval sqlstr = replace(sqlstr, "%startdate%", startdate) | eval sqlstr = replace(sqlstr, "%enddate%", enddate) | return $sqlstr] | chart max(NUMBER_PROCESSED) by TIME, MSGSUBTYPE | fillnull

If I try to convert to timechart it complains that MSGSUBTYPE is not valid.

Tags (1)
0 Karma
Reply

john_howley
Path Finder
‎05-27-2015 03:55 AM

As additional info to the question I noted that the series data count went over the 1000 maximum. i tried re-configuring limit to see if that would help, but it didn't. I also tried to restirct the number of events being returned to below 1000 - again that made no difference. Also the field that TIME is being extracted from is just a text field not a date field so I wondered if that had any impact on it. I did try converting to a date but again that didn't help.

0 Karma
Reply

DaveAsh
Engager
‎05-13-2015 10:37 AM

Hi John,
I am certain someone else may have a better idea about this, but figured you still didn't have an answer in 6 days so I would take a shot at part of the question.
Normally I have had issues with timechart being case sensitive. The field in your query where you are grouping is by msgsubtype and then you try to timechart with MSGSUBTYPE might be causing the field is not valid. If I change the field case I always end up with a chart that just contains nulls.
So, like I said I am sure there are others out there that have different idea's that will help but perhaps this will start a dialog.
-Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...