Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I modify the label for x-axis?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup table similar to the following:
Week Status Number
13 May 17 Open 5
13 May 17 Closed 3
20 May 17 Open 7
20 May 17 Closed 4
I built a timechart using the following syntax:
| inputlookup lookup.csv | eval _time=strptime(Week, "%d %b %y") | timechart span=1w Values(Number) by Status
That produces a line graph timechart, but the x-axis labels are changed:
Mon 8 May
Mon 15 May
What am I not understanding about the strptime command that it's changing the date?
And most importantly, how do I make the change the x-axis label to say something like "Week ending 13 May", "Week ending 20 May"
I looked at the timewrap command but
| inputlookup lookup.csv | eval _time=strptime(Week, "%d %b %y") | timewrap w | timechart span=1w Values(Number) by Status
gives me a chart with four data points all on the left y-axis point "Mon May 22":
"Closed, 2 weeks before", "Open, 2 weeks before", "Closed, 1 week before", "Open, 1 week before".
I need two lines with two data points like I get with the first search.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's timechart that changes the dates to it's own format from the strptime format. As far as I know there's no way in search to customize that. You can go a different route and bin _time, use xyseries, and finally change the format after:
|inputlookup lookup.csv
|eval _time=strptime(Week, "%d %b %y")
|bin _time span=1w
|xyseries _time Status Number
|eval _time=strftime(_time, "Week ending %d %b")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval raw="13 May 17,Open,5
13 May 17,Closed,3
20 May 17,Open,7
20 May 17,Closed,4"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<Week>[^,]+),(?<Status>[^,]+),(?<Number>.*)$"
| table Week Status Number
| rename COMMENT AS "Everything above creates test events; everything below is your solution"
| chart sum(Number) OVER Week BY Status
| eval _time=strptime(Week, "%d %b %y")
| sort 0 _time
| fields - _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's timechart that changes the dates to it's own format from the strptime format. As far as I know there's no way in search to customize that. You can go a different route and bin _time, use xyseries, and finally change the format after:
|inputlookup lookup.csv
|eval _time=strptime(Week, "%d %b %y")
|bin _time span=1w
|xyseries _time Status Number
|eval _time=strftime(_time, "Week ending %d %b")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. That worked great.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
