Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you make output from xyseries generate the same _time-based X-axis labels as timechart?

Graham_Hanningt
Builder
‎05-02-2016 09:51 PM

The following search:

sourcetype=my_log_type | timechart count by conn_type

generates the chart I want, with one exception: instead of the original conn_type (connection type) values, I want the chart to display more readable, descriptive values.

I want to replace the values after the timechart command. For reasons why, see my comment on a different question.

To rename the series, I append the following commands to the original search:

| untable _time conn_type value | lookup connection_types.csv conn_type output description | xyseries _time description value

This has the desired effect of renaming the series, but the resulting chart lacks the intelligently formatted X-axis values generated by timechart.

How do I reproduce the intelligent X-axis values generated by timechart?

I do not want to hardcode span or bin values: I use this search in a dashboard whose time range might span years or fractions of a second. I want to take advantage of the way timechart chooses a default span based on the time range.

The following screenshots show the original "intelligent" X-axis labels generated by timechart, and the X-axis labels after xyseries:

Splunk screenshots

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎05-02-2016 10:05 PM

What about doing a stats and then a timechart?

sourcetype=my_log_type | bucket _time span=1s | stats count by _time, conn_type | lookup connection_types.csv conn_type output description | timechart sum(count) AS count by description

View solution in original post

Reply
Solved! Jump to solution

ctaf
Contributor
‎07-11-2017 03:04 AM

I personally can not use timechart. Is there a way to do what timechart is doing with xyseries ?

EDIT: I found a solution:

I perform the xyseries, then the "untable", and then the timechart... But it really not efficient and optimized. That would be great to know exactly what the timechart command is doing...

0 Karma
Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎05-02-2016 10:05 PM

What about doing a stats and then a timechart?

sourcetype=my_log_type | bucket _time span=1s | stats count by _time, conn_type | lookup connection_types.csv conn_type output description | timechart sum(count) AS count by description
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎05-02-2016 11:12 PM

Thank you, @Jeremiah! That works for me.

I've removed the span=1soption after reading the docs: bucket (and bin) seem to share the same default spanning behavior as timechart. I've also replaced the bucket command name with bin, because - tell me if I'm wrong - the bin command seems to be the "primary" command (for which bucket is an alias): the Splunk docs topic for bucket refers the reader to the bin topic.

I'd like to convert your comment into an answer so that I can accept it, but I can't see how to do that. I'm guessing I lack the authority - or karma points - for that option to appear in my user interface. Could you (or anyone reading this) please do that for me, or point me to where I can do that myself?

So, pushing timechart to the end of the search solves my problem. I'm still curious, though: timechart seems to be "doing stuff under the covers" (perhaps: generating "internal use only fields" that Splunk "hides" from users?) that I do not (yet?) have the wit to see.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎05-03-2016 10:33 AM

Looks like it is now an answer 🙂 accept away!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...