Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to change timechart axis?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change timechart axis?
corehan
Explorer
04-19-2022
06:02 AM
Hello dears,
How can i change timechart _time axis y to x ?
<base search> | timechart span=1h sum(REQUESTNAME) as Sikayet count by ilce |sort -count | untable _time Xaxis Yaxis |where Yaxis > 3
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corehan
Explorer
04-25-2022
03:24 AM
Finally here is my query which i want;
<base search> | timechart span=1h count(REQUESTNAME) by ilce usenull=f useother=f | eval Time=strftime(_time,"%H:%M") | table Time,* | untable Time Xaxis Yaxis | xyseries Xaxis Time Yaxis
Fyi..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-19-2022
07:12 AM
| xyseries Xaxis _time Yaxis- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VatsalJagani
SplunkTrust
04-19-2022
06:52 AM
@corehan - Why you are using untable command?
By default timechart command put _time on the X-axis. Please try removing stuff after sort command and see if you get what you need.
-----
I hope this helps!!! If it does consider upvoting!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corehan
Explorer
04-19-2022
06:59 AM
Thank you for suggest but i can't found, how can i put the _time to x axis command..
Regards.
Final search;
<base search> | timechart span=1h count(REQUESTNAME) by ilce |sort -count
Also i need to set threshold value like count >3 in this scenario.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VatsalJagani
SplunkTrust
04-19-2022
07:11 AM
@corehan - Since you are using timechart command with groupby, your Y-axis field name is not the "count".
If you look at the results it's not one-dimensional results here. So if you want to filter for those for which the total count is not greater than 3 then you can use the following search:
<base search> | timechart span=1h count(REQUESTNAME) by ilce
| transpose
| addtotals
| search Total>3
| fields- Total
| transpose header_field=column
| fields - column
Please post the screenshot of the result if this does not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corehan
Explorer
04-19-2022
08:52 AM
Hello,
I changed the query but i doesn't work;
<base search> | timechart span=1h count(REQUESTNAME) by ilce |transpose | addtotals |fields- Total |transpose header_field=column |fields -column
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
