Splunk Search

How can I change the x-axis label on my chart to a month count?

ngerosa
Path Finder

Hi,
I have this table:
_time ATTENUATION EOL

2017-09-08 15 21
2017-09-09 15.3 21
.

.
2017-10-01 15.7 21
2017-10-02 15.4 21

I stored the data since June, so for every day I have a value for "ATTENUATION" and a value for EOL that is always the same for every day because is a threshold.
Since I have a lot of values, Splunk doesn't show me any value in the x-axis
I want to chart all data, that I have stored, with a simple line chart (without any stats) grouped by month.

Any ideas?

Thanks a lot

0 Karma

DalJeanis
Legend

Try this, assuming you are using chart

| your chart command
| eval _time= relative_time(_time,"@mon")
0 Karma

ngerosa
Path Finder

Hi DalJeanis,
the label of the x-axis that I want is correct but the chart it seems not correct.
In this link you can find the chart using your command : https://ibb.co/i2zH5m
In this link you can find the right chart without using your command: https://ibb.co/byXLQm
I want the label of the first chart in the second chart 🙂

0 Karma

lloydknight
Builder

Hello ngerosa,

If my understanding is correct, you want to trend the count of the fields into its own value in the x-axis.

say for example:

  index=your_index earliest=@mon latest=now | chart count(ATTENUATION) AS ATTENUATION_count by ATTENUATION 

What I don't understand is that you have two fields (ATTENUATION and EOL) that you want to put in the x-axis? is that correct?

EDIT:
try this:

index=your_index earliest=@mon latest=now | chart count(ATTENUATION) AS ATTENUATION_count by ATTENUATION | join [search  index=your_index earliest=@mon latest=now | chart count(EOL) AS EOL_count by EOL]

then click Format on the Visualization tab and select Chart Overlay and Overlay the field EOL to have a Y-axis count on the right side.

Hope it helps!

0 Karma

ngerosa
Path Finder

Hi lloydknight ,
I don't want to do any stats for my values.
I already have a chart that display my all data, my only problem is the setting of the x-axis.
I want to display only ONE time the name of every month and not for every value the name of month

0 Karma

lloydknight
Builder

Apologies. I'm really confused with your requirements.

so what do you want to trend every month? distinct count of EOL? ATTENUATION?

0 Karma

ngerosa
Path Finder

EOL (End-Of-Life) is only a costant value that is a reference value and indicates, if "ATTENUATION" value exceeded the EOL value, that there is problem.
So in the chart I have two lines:
One line that is costant that represent a EOL value and another line that indicates the "ATTENUATION"value.

My problem is not how to display data but is how to display label of the x-axis with only one time every month.

In this link you can find the x-axis that I want : https://ibb.co/cn4s5m

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ngerosa ,
you said data grouped by month: are you meaning that you want an average of the monthly values or what?
if an average try something like this:

index=your_index
| timechart span=1mon avg(ATTENUATION) AS ATTENUATION avg(EOL) AS EOL

if instaead you want all the daily values try something like this:

index=your_index
| timechart values(ATTENUATION) AS ATTENUATION values(EOL) AS EOL

In both the cases you can display results as a chart.
Bye.
Giuseppe

0 Karma

ngerosa
Path Finder

Hi Giuseppe,
my problem is not how to chart the data, but how to display in x-axis only a month and not all every single day.

0 Karma

lloydknight
Builder

is it something like this?

 base search | chart count(ATTENUATION) AS ATTENUATION, count(EOL) AS EOL by date_month
0 Karma

ngerosa
Path Finder

Hi lloydknight ,
my problem is not how to chart the data, but how to display in x-axis only a month and not all every single day.

I want to display all values that I have stored but in the x-axis I want to display only ONE time the name of every month

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...