Splunk Search

How do I create a line chart using epoch values, but convert the y and x-axis labels to a human readable format?

Path Finder

Hi all,

I need to chart a series of time(epoch) values over time. So basically, I want to show Dates on both the X and Y Axis of a linechart. After converting the Y-values to epoch, I get a nice line. However epoch values are not very user-friendly, so I would like to convert the axis labels back into a readable format. I created a screenshot to illustrate the problem:
alt text

I tried using "fieldformat" and "convert timeformat...", neither works. If inserted before the chart command, the line can not be drawn anymore, if inserted after, the labels do not change. Using a timechart helps with the X-Axis, but doesn't change anything about the Y-Axis.

Explorer

oh, and the x axis, just add some eval to replace after charting...

| chart max(time) as max_time by datex 
| eval datex = strftime(datex, "%d/%m")
0 Karma

Explorer

Hi, I've done some tricks to do this ...

in the query I converted hh: mm: ss to a number (because string does not write points in the graph):

...
    | chart max(epoch_time) as max_time by date
    | eval max_time = tonumber(strftime(max_time, "%H%M%S"))

into html dashboard, after render() my chartElement (or chartView)

 element4.on("rendered", function () {
            $($("#element4 tspan")).each(function () {
                console.log("element4 : " + $(this).text());
                var rex = new RegExp("[0-9]{0,3},[0-9]{3}");
                if (rex.test($(this).text())) {
                    var hhnum = $(this).text().replace(",", "");
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                } else if ($(this).text() < 1000) {
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                };
            });
        });

This code needs some refactoring, but this was my first successful case

0 Karma

Splunk Employee
Splunk Employee

Hi @Dohrendorf_Consist,
Have you tried using the "strftime" command in your query to convert the way the time stamp is rendered? Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/CommonEvalFunctions#Date_and_Time_...

See also this older Answers post, which seems related to your question:
https://answers.splunk.com/answers/11649/specify-timestamp-display-format-for-timechart-axis-labels....
Hope this helps! Let me know if not and we can keep discussing.

All best,
@frobinson_splunk

0 Karma

Path Finder

I already had tried that, but it only works on the X-Axis. Using strftime on the Y-Axis results in the line no longer being drawn, apparently because the values are strings after formatting them, which makes sense.

Any other suggestions?

0 Karma

Explorer

Dohrendorf,
Did you make it ?
I'm trying here and I'm having the same problem

tks

0 Karma