Splunk Search

Can you help me format the x-axis of a timechart?

RWL01
Engager

alt text
alt text

How do I format the x-axis to look like the first picture from the timechart documentation? To clarify,I want to have grouped labels for the hour, day / month, and year.

Currently, my x-axis looks like the second image.
Thanks for any help

0 Karma

bjoernjensen
Contributor

Hi,

your line chart looks like it is not coming from the timechart command.

Do you use the _time field? Or just time with values of the format %FT%T%z.

I tried to copy your effect and avoid using timechart on some internal data (last 24h):

index = _internal sourcetype=splunkd component=*process*
| stats count by component _time
| eval _time=strftime(_time,"%FT%T%z")
| xyseries _time component count

Even then the splunk search visulization formats my x axis of the line chart with "good" time labels.

But if I use this instead:

    index = _internal sourcetype=splunkd component=*process*
    | stats count by component _time
    | eval time=strftime(_time,"%FT%T%z")
    | xyseries time component count

The labels of the x axis look like in your chart.

Does this help?
Björn

0 Karma

RWL01
Engager
eventtype=SummaryTiming 
| eval server=substr(source, 11, 6)
| search FunctionAction=ll.browse AND server=wfe* AND date_hour>=6 AND date_hour<18
| timechart cont=FALSE span=3h 
  eval(round(avg(ExecutionTime),2)) as AvgExec
  by server
0 Karma

RWL01
Engager

Thanks for the help, I've posted my query above and I'm using the timechart in it. I ran your query and got the same display results initially but as it got more stats, splunk formatted the x-axis. To be clear, I want to get the formatting shown in the first image.

0 Karma

kmaron
Motivator

timechart will format the x-axis for you depending on the timeframe and span you are using.

dgawande
Engager

Try this

| timechart .....
| fieldformat _time = strftime(_time, "%Y-%m-%d %H:%M")

0 Karma

RWL01
Engager

I uploaded what my graph currently looks like, is there a way to make the x-axis be formatted like the first image?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...