Splunk Search

Can you help me format the x-axis of a timechart?

RWL01
Engager

alt text
alt text

How do I format the x-axis to look like the first picture from the timechart documentation? To clarify,I want to have grouped labels for the hour, day / month, and year.

Currently, my x-axis looks like the second image.
Thanks for any help

0 Karma

bjoernjensen
Contributor

Hi,

your line chart looks like it is not coming from the timechart command.

Do you use the _time field? Or just time with values of the format %FT%T%z.

I tried to copy your effect and avoid using timechart on some internal data (last 24h):

index = _internal sourcetype=splunkd component=*process*
| stats count by component _time
| eval _time=strftime(_time,"%FT%T%z")
| xyseries _time component count

Even then the splunk search visulization formats my x axis of the line chart with "good" time labels.

But if I use this instead:

    index = _internal sourcetype=splunkd component=*process*
    | stats count by component _time
    | eval time=strftime(_time,"%FT%T%z")
    | xyseries time component count

The labels of the x axis look like in your chart.

Does this help?
Björn

0 Karma

RWL01
Engager
eventtype=SummaryTiming 
| eval server=substr(source, 11, 6)
| search FunctionAction=ll.browse AND server=wfe* AND date_hour>=6 AND date_hour<18
| timechart cont=FALSE span=3h 
  eval(round(avg(ExecutionTime),2)) as AvgExec
  by server
0 Karma

RWL01
Engager

Thanks for the help, I've posted my query above and I'm using the timechart in it. I ran your query and got the same display results initially but as it got more stats, splunk formatted the x-axis. To be clear, I want to get the formatting shown in the first image.

0 Karma

kmaron
Motivator

timechart will format the x-axis for you depending on the timeframe and span you are using.

dgawande
Engager

Try this

| timechart .....
| fieldformat _time = strftime(_time, "%Y-%m-%d %H:%M")

0 Karma

RWL01
Engager

I uploaded what my graph currently looks like, is there a way to make the x-axis be formatted like the first image?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...