Splunk Search

Chart Visualization Updates

aquinojason
Path Finder

Hi,

Could you help me why the values for the Y-Axis is not being set correctly? I specified 6000 with interval of 500 but I am getting 5446 as attached.

aquinojason_0-1642083093521.png

I also want to know how I can update the X-axis to display the data per week instead of per Month. I tried using span by I am not getting a good results.

I am using the following:

index=xxxxx sourcetype=xxxx EXPRSSN=IBM4D* | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | table EXPRSSN DATE MIPS | eval _time=strptime(DATE." "."00:00:00","%Y-%m-%d %H:%M:%S") | chart list(MIPS) over _time by EXPRSSN

Labels (1)
0 Karma

aquinojason
Path Finder

Hi,

I tried it but didn't really changed the visual much.

aquinojason_0-1642084916993.png

Thanks and Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share your simple XML for the chart?

0 Karma

aquinojason
Path Finder

Hi, 

It will be this one.

<dashboard>
<label>13MONTH</label>
<row>
<panel>
<title>13 MONTH WEEKLY CPU AVERAGE AND HIGH WATER MARK WITH WEEKLY AVERAGE TREND</title>
<chart>
<title>IBM4D</title>
<search>
<query>index=xxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D* | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | table EXPRSSN DATE MIPS | eval _time=strptime(DATE." "."00:00:00","%Y-%m-%d %H:%M:%S") | chart list(MIPS) over _time by EXPRSSN | trendline sma2(MIPS) as trend</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisLabelsY.majorUnit">500</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.maximumNumber">6000</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">area</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">IBM4DPEAK</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>

 

Thanks and Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your issue is to do with the amount of space you have to display your chart and the number of major intervals on the y axis. The chart will attempt to display about 10 intervals. You have 12 (6000/500). When there isn't sufficient height to display the intervals (each interval has a minimum height depending on the font size being used by the viz), the intervals get adjusted e.g. no longer 500. The solution is either to increase the interval size, e.g. 1000 giving you 6 intervals to display, or increase the height taken by the chart

<option name="height">450</option>

 

0 Karma

aquinojason
Path Finder

Hi,

   Thank you. This worked for the Y-axis display. Would you know how I can update the X-axis interval also?

Thanks and Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your issue there is that your x-axis is _time - charts treat _time in special ways - one way around this would be to assign a new field to a formatted version of time

| bin _time span=7d
| eval time=strftime(_time,"%y-%m-%d")
| chart sum(MIPS) over time by EXPRSSN 
0 Karma

aquinojason
Path Finder

@ITWhisperer wrote:

Your issue there is that your x-axis is _time - charts treat _time in special ways - one way around this would be to assign a new field to a formatted version of time

 

| bin _time span=7d
| eval time=strftime(_time,"%y-%m-%d")
| chart sum(MIPS) over time by EXPRSSN 

 


I tried spanning for 7d and it showed differently.  I wanted to span it still per day but wanted to display weeks on the x-axis instead of months.

aquinojason_0-1642095438778.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try

| bin _time span=7d
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...