Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I add timescale for x-axis to chart

john_howley
Path Finder
‎05-07-2015 01:53 AM

I have the following query which produces a chart that only shows TIME as the x-axis label and doesn't show the times themselves on the axis - I would like to add that. according to the chart reference there is timescale option, but I have been unable to get that to work.
Note: the startdate and enddate fields are taken from input boxes.
|dbquery "MassPayPrimary" [stats count | head 1| eval startdate = 155051341 | eval enddate = 1550515 | eval sqlstr = "\"select a.msgsubtype, substr(a.time_stamp,12,8) as Time, a.msg_status, count (*) as NUMBER_PROCESSED from table a where a.IIFIS > '%startdate%' and a.IIFIS < '%enddate%' and a.msg_status = 'COMPLETE' AND a.msgsubtype IS NOT NULL group by msgsubtype, substr(atime_stamp,12,8), a.msg_status order by substr(a.time_stamp,12,8) asc\"" | eval sqlstr = replace(sqlstr, "%startdate%", startdate) | eval sqlstr = replace(sqlstr, "%enddate%", enddate) | return $sqlstr] | chart max(NUMBER_PROCESSED) by TIME, MSGSUBTYPE | fillnull

If I try to convert to timechart it complains that MSGSUBTYPE is not valid.

Tags (1)
0 Karma
Reply

john_howley
Path Finder
‎05-27-2015 03:55 AM

As additional info to the question I noted that the series data count went over the 1000 maximum. i tried re-configuring limit to see if that would help, but it didn't. I also tried to restirct the number of events being returned to below 1000 - again that made no difference. Also the field that TIME is being extracted from is just a text field not a date field so I wondered if that had any impact on it. I did try converting to a date but again that didn't help.

0 Karma
Reply

DaveAsh
Engager
‎05-13-2015 10:37 AM

Hi John,
I am certain someone else may have a better idea about this, but figured you still didn't have an answer in 6 days so I would take a shot at part of the question.
Normally I have had issues with timechart being case sensitive. The field in your query where you are grouping is by msgsubtype and then you try to timechart with MSGSUBTYPE might be causing the field is not valid. If I change the field case I always end up with a chart that just contains nulls.
So, like I said I am sure there are others out there that have different idea's that will help but perhaps this will start a dialog.
-Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...