Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display x-axis scale for a field that isn't _time

w564432
Explorer
‎10-24-2019 08:37 AM

Hi guys, I am trying to chart multiple days on the same line chart, kind of like in this example (https://docs.splunk.com/Documentation/Splunk/7.3.2/Search/Comparehourlysumsmultipledays) . However I am plotting 5m intervals and not hours like in the example above: 

... | bin span = 5m _time | eval clock=strftime(_time,"%H:%M:%S") | chart avg(Total_ct) by clock,day

However, the x-axis labels aren't showing up because there are too many (288 of them). What I want is to have 5m data (and thus 288 intervals over the whole day) but still be able to see some labels on the x-axis. This is what Splunk is trying to show and failing, because of the pixel limit:

[ 00:00 00:05 00:10   . . . . . . . . . . . . . . . . . . . .  . . . . . . . . . . . . 23:55 ]

I would be okay if the x-axis looked like the following: 

[ 0         1           .           .            .            .           .               23]

Note: it doesn't have to be an hourly interval, I just want some kind of labels to show up on the x-axis. As it is now, there are no labels and its really hard to tell at a glance what the times are unless I mouse over.

I did find a hacky way to get leverage the smart time-scaling display using timechart while also keeping the "chart by time over day" effect. This actually gives me an hourly scale with all 5m time interval data, but when I mouse over each point I see "1971-01-01" on each time (I basically converted all the days into one ridiculous day so I could overlay them). 

... | eval clock=strftime(_time,"%H:%M:%S")
| eval reclock="1971-01-01"." ".'clock' 
| eval day=strftime(_time,"%D")
| eval _time=strptime(reclock, "%Y-%m-%d %H:%M:%S")
| timechart span=5m cont=f avg(Total_ct) by day limit=0

Is there some way I can have my cake and eat it too?

0 Karma
Reply

to4kawa
Ultra Champion
‎10-25-2019 04:45 AM 
| stats count
| eval raw="2019/10/01,2019/10/04"
| makemv delim="," raw
| mvexpand raw
| eval raw=strptime(raw,"%Y/%m/%d")
| makecontinuous span=5m raw
| eval _time=raw
| eval Total_ct=random() % 100 + 1
`comment("this is sample data")`
| timechart span=1h avg(Total_ct) as Total_ct
| eval days=tonumber(strftime(_time,"%d"))
| eval time=tonumber(strftime(_time,"%H"))
| xyseries time days Total_ct
| sort time
| fields - 4

Hi, this is sample query. Please take a look at Line chart.

 ... | bin span = 5m _time
| timechart span=5m avg(Total_ct) as avg_Total_ct
| eval days=tonumber(strftime(_time,"%d"))
| eval time=tonumber(strftime(_time,"%H"))
| xyseries time days avg_Total_ct
| sort time

How about this?

0 Karma
Reply

tiagofbmm
Influencer
‎10-24-2019 12:42 PM

After the timechart you can again use strftime to stripe the date part of it

0 Karma
Reply

w564432
Explorer
‎10-24-2019 12:45 PM

I tried that as well. It seems to break the visualization though...

0 Karma
Reply

tiagofbmm
Influencer
‎10-24-2019 03:42 PM

I'm confused by what you have vs what you want. You're showing Splunk outputs a 5m bin x-axis, but you're getting a day variable to split by but you're expecting an hourly split in the end... What am I missing?

0 Karma
Reply

w564432
Explorer
‎10-24-2019 03:52 PM

Sorry I was unclear. Basically,
Yes, I am charting by 5m over day, which results in a multi-time series timechart, which is a standard 5m timechart with several lines, each representing 1 particular day. It's not that I want then to bin by hours, but rather have the x-axis show just the hourly tick marks (or anything that would fit on the screen, really... better than being absolutely blank).

What happens is that the x-axis will try to display all 288 bins. Visualization using "timechart" handles this by displaying less frequent time intervals (obviously it isn't always hours, but in my case it likely will be). Visualization using "chart" just straight up refuses to display the x-axis bins altogether since there's no room (unless you zoom).

I am wondering if I can do this without using the timechart command, since because of the hacky way I'm using, every point in the time series needs to conform to 1 day (1971-1-1) which is not so pretty.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...