Splunk Search

How Can I change from descendant to ascendant in timechart visualization in the Y-axis

danielgp89
Path Finder

Hello Everyone!

I have a timechart visualization and I would like to change the order of the number that are in the Y-axis from descendant to ascendant.

As you see in the picture, it goes from 3 - 6 - 9 - 12 and instead I would like something like this 24 - 21 - 18 - 15.

alt text

This My query, I tried something like

|sort -"_time" 
|sort -"duracion"


   index=controlm | eval duracion=strftime(_time,"%H.%M") 
    | timechart max(duracion) by job_member_name limit=20

But neither of those, do what I want.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?

1) Simulates your current scenario with Timechart command

index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*))  earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f

alt text

2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart.

index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*))  earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse

alt text

PS: Since duraction is HH.MM I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?

1) Simulates your current scenario with Timechart command

index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*))  earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f

alt text

2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart.

index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*))  earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse

alt text

PS: Since duraction is HH.MM I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

danielgp89
Path Finder

@niketnilay Thanks so much for your time and response!

That was exactly what I was looking for.

Best Regards!!

chrisyounger
SplunkTrust
SplunkTrust

Does this work for you:

index=controlm | eval duration=strftime(_time,"%H.%M") | timechart max(duration) as duracion by job_member_name limit=20 | eval duration= duration * -1

0 Karma

danielgp89
Path Finder

Hello @chrisyoungerjds!

I was thinking, what if I change the value of the hour for -1. For example:

from 21.00 to 21.59 = -3
from 22.00 to 22.59 = -2,
from 23.00 to 23.59 = -1,
from 00.00 to 00.59 = 0,

index=controlm | eval duracion=strftime(_time,"%H.%M") | eval hora=case(duracion>="23.00" AND duracion<"23.59", "-1",duracion>="00.00" AND duracion<"00.59", "0",duracion>="01.00" AND duracion<"01.59", "1",duracion>="02.00" AND duracion<"02.59", "2") | timechart max(duracion) by job_member_name

So it going to start from the bottom!

But one of the issues that I have here is that is not working that I expect! Because each time it find a number that match the query the other ones disappear.

alt text

Could you help me to land my idea please.

Best Regards!

0 Karma

danielgp89
Path Finder

No @chrisyoungerjds I didn't set anything.

alt text

Look! Here an example of how does the _time match with the duration field that I created

alt text

0 Karma

danielgp89
Path Finder

Thanks a lot for your help @chrisyoungerjds! hehe but doesn't work either.

That query decomposed my data. It supposed that the Y axis is the hour where the event has executed, but with this query it display me another data!

Original Query!
alt text

With Suggest Query!

alt text

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

With my query it appears that you have set the "Format" > "Y-Axis value" on the chart - which is why its not appearing correctly.

0 Karma

danielgp89
Path Finder

Hello @chrisyoungerjds.

No! Unfortunately that query didn't work.

It keeps the same order of the numbers!

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Sorry I had a typo. Try this: index=controlm | eval duration = (_time % 86400) / 3600 * -1 | timechart max(duration) as duration by job_member_name limit=20

0 Karma

woodcock
Esteemed Legend

I was thinking the same thing, but I don't think that he will go for it. Let's just wait for @niketnilay to show up with a full answer.

niketn
Legend

😄 @woodcock Done!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

haha 🙂

Also @danielgp89 your time conversion is a bit dodgy. You should probably do this:

index=controlm | eval duration = (_time % 86400) / 3600 * -1 | timechart max(duration) as duration by job_member_name limit=20

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...