Solved: Getting rid of unused time in timechart

plucas_splunk · ‎08-31-2016

Given a search:

index="muni" | nbclosest | timechart span=30m dc(vehicle_id) as NumVehicles

(where nbclosest is a custom search command that filters results and isn't relevant to this question) it correctly charts the data, but the problem the data is only from a subset of hours in the day, e.g., 10am to 7pm. When plotting it, it looks like the attached image:

I'd like to change the chart so that the times outside 10am-7pm aren't displayed at all. It would be as if the chart were squished horizontally by removing midnight-10am and 7pm-midnight.

How can I do this?

sundareshr · ‎08-31-2016

See if add cont=f to the timechart command gives you the desired output.

View solution in original post

somesoni2 · ‎08-31-2016

Give this a try. You may loose the x-axis markers

index="muni" | nbclosest | bucket span=30m _time | stats dc(vehicle_id) as NumVehicles by _time

plucas_splunk · ‎08-31-2016

This produces the same result as adding cont=f but, oddly, says "0 events" on the left.

sundareshr · ‎08-31-2016

See if add cont=f to the timechart command gives you the desired output.

Getting rid of unused time in timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!