Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I create a line chart using epoch values, but convert the y and x-axis labels to a human readable format?

Dohrendorf_Cons
Path Finder
‎11-25-2015 11:46 AM

Hi all,

I need to chart a series of time(epoch) values over time. So basically, I want to show Dates on both the X and Y Axis of a linechart. After converting the Y-values to epoch, I get a nice line. However epoch values are not very user-friendly, so I would like to convert the axis labels back into a readable format. I created a screenshot to illustrate the problem:
alt text

I tried using "fieldformat" and "convert timeformat...", neither works. If inserted before the chart command, the line can not be drawn anymore, if inserted after, the labels do not change. Using a timechart helps with the X-Axis, but doesn't change anything about the Y-Axis.

Preview file
1 KB
Reply

rafaelvjb
Explorer
‎09-25-2018 01:04 PM

oh, and the x axis, just add some eval to replace after charting...

| chart max(time) as max_time by datex 
| eval datex = strftime(datex, "%d/%m")
0 Karma
Reply

rafaelvjb
Explorer
‎09-25-2018 01:01 PM

Hi, I've done some tricks to do this ...

in the query I converted hh: mm: ss to a number (because string does not write points in the graph):

...
    | chart max(epoch_time) as max_time by date
    | eval max_time = tonumber(strftime(max_time, "%H%M%S"))

into html dashboard, after render() my chartElement (or chartView) 

 element4.on("rendered", function () {
            $($("#element4 tspan")).each(function () {
                console.log("element4 : " + $(this).text());
                var rex = new RegExp("[0-9]{0,3},[0-9]{3}");
                if (rex.test($(this).text())) {
                    var hhnum = $(this).text().replace(",", "");
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                } else if ($(this).text() < 1000) {
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                };
            });
        });

This code needs some refactoring, but this was my first successful case

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-25-2015 12:28 PM

Hi @Dohrendorf_Consist,
Have you tried using the "strftime" command in your query to convert the way the time stamp is rendered? Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/CommonEvalFunctions#Date_and_Time_...

See also this older Answers post, which seems related to your question:
https://answers.splunk.com/answers/11649/specify-timestamp-display-format-for-timechart-axis-labels....
Hope this helps! Let me know if not and we can keep discussing.

All best,
@frobinson_splunk

0 Karma
Reply

Dohrendorf_Cons
Path Finder
‎11-26-2015 01:12 AM

I already had tried that, but it only works on the X-Axis. Using strftime on the Y-Axis results in the line no longer being drawn, apparently because the values are strings after formatting them, which makes sense.

Any other suggestions?

0 Karma
Reply

rafaelvjb
Explorer
‎09-14-2018 07:04 AM

Dohrendorf,
Did you make it ?
I'm trying here and I'm having the same problem

tks

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...