Splunk Search

How do I display some major xaxis labels when minor labels wont fit?

Explorer

I'm trying to plot a distribution of events as a column graph. The code is below:

eval time_sec = round(t/1000) | chart count(t) by time_sec | makecontinuous time_sec

When the events are distributed over a small range of 'time_sec' then the xaxis is displayed, with 1 second, 2 seconds, 3 seconds ... 30 seconds.

When the range gets larger, say up to 100 seconds, all x-axis labels disappear. Stretching the browser window to be wider makes them reappear.

Is there any way to make it so that when there is not enough room to fit every label, I can show every 10th label instead? I will be looking to place the result of this search on a dashboard. I've played around with charting.axisLabelsX.majorUnit and charting.axisLabelsX.minorUnit inside a dashboard but have not noticed any change.

And finally, the versions of Splunk I'm using are 6.0 and 6.1.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Place the bucket before the chart command.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Place the bucket before the chart command.

View solution in original post

0 Karma

Explorer

That bucket command is pretty cool. I tried appending the following to my query:

| bucket time_sec span=5

The problem is instead of one label for the 5 grouped columns, I have 5 labels (and only if I stretch my browser window far off my screen to make them choose to render). Put another way, I go from having the following labels on my x-axis

1,2,3,4,5,6,7,8,9,10
to
0-5,0-5,0-5,0-5,0-5,5-10,5-10,5-10,5-10,5-10.

If the ranges were consolidated so the graph only showed 0-5, 5-10, instead of five copies of each would be good.

(p.s, the actual range is 0-120)

0 Karma

SplunkTrust
SplunkTrust

I see, the field t is a duration rather than a time.
I believe those axis configuration settings are a relict from FlashChart times, and JSChart never supported those. http://docs.splunk.com/Documentation/Splunk/6.1.2/AdvancedDev/CustomChartingConfig-AxisGrid#Numeric_...

Have you considered using the bin/bucket command to reduce the number of columns in your chart? http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Bucket

0 Karma

Explorer

Thanks for your comment. I reconsidered timechart, but after having a play with it and it doesn't do what I would like.

What I want to create is basically a histogram of response times. The x-axis is not in the time domain, it does not use a continuous range of days, dates, etc. I don't use '_time' or anything derived from it.

The discrete intervals like '1 second', '2 seconds', ... '100 seconds' come from the event field 't'.

0 Karma

SplunkTrust
SplunkTrust

Have you considered using timechart instead of chart ... by time? That takes care of unintelligible labels automatically.

0 Karma