Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change timechart axis?

corehan
Explorer
‎04-19-2022 06:02 AM

Hello dears,

How can i change timechart _time axis y to x ?

<base search>  | timechart span=1h sum(REQUESTNAME) as Sikayet count by ilce |sort -count | untable _time Xaxis Yaxis |where Yaxis > 3

 

Regards

Labels (1)
Labels
Tags (1)
Preview file
28 KB
0 Karma
Reply

corehan
Explorer
‎04-25-2022 03:24 AM

Finally here is my query which i want;

<base search> | timechart span=1h count(REQUESTNAME) by ilce usenull=f useother=f | eval Time=strftime(_time,"%H:%M") | table Time,* | untable Time Xaxis Yaxis | xyseries Xaxis Time Yaxis

Fyi..

Preview file
24 KB
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2022 07:12 AM 
| xyseries Xaxis _time Yaxis
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-19-2022 06:52 AM

@corehan - Why you are using untable command?

By default timechart command put _time on the X-axis. Please try removing stuff after sort command and see if you get what you need.

-----
I hope this helps!!! If it does consider upvoting!!!

0 Karma
Reply

corehan
Explorer
‎04-19-2022 06:59 AM

Thank you for suggest but i can't found, how can i put the _time to x axis command..

Regards.

Final search;

<base search>  | timechart span=1h count(REQUESTNAME) by ilce |sort -count 

Also i need to set threshold value like count >3 in this scenario.

 

Preview file
18 KB
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-19-2022 07:11 AM

@corehan - Since you are using timechart command with groupby, your Y-axis field name is not the "count".

If you look at the results it's not one-dimensional results here. So if you want to filter for those for which the total count is not greater than 3 then you can use the following search:

<base search>  | timechart span=1h count(REQUESTNAME) by ilce 
| transpose
| addtotals
| search Total>3
| fields- Total
| transpose header_field=column
| fields - column

 

Please post the screenshot of the result if this does not work.

0 Karma
Reply

corehan
Explorer
‎04-19-2022 08:52 AM

Hello,

I changed the query but i doesn't work;

<base search> | timechart span=1h count(REQUESTNAME) by ilce |transpose | addtotals |fields- Total |transpose header_field=column |fields -column

 

Preview file
8 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...