Solved: How to change timechart data points to reflect ful...

jonleach · ‎07-19-2019

Disclaimer - very green to Splunk

My timechart is built with the following

$search | timechart avg(date_hour) by date_mday

And the chart itself looks fine but because im only asking for date_hour each point only reflects the hour portion of each log's time stamp. Can I change my query so the alt text for each data point on the chart reflect the full time stamp?

Also, my x axis properly sorts point by day but my y axis bounds are off - can I set the max and min myself?

THANK YOU

jawaharas · ‎07-21-2019

Try 'span' keyword in 'timechart' command

<base_search>
| timechart span=1h avg(field_name)

View solution in original post

jawaharas · ‎07-21-2019

Try 'span' keyword in 'timechart' command

<base_search>
| timechart span=1h avg(field_name)

jonleach · ‎07-22-2019

Adding span gets me exactly what I needed, thanks!

How to change timechart data points to reflect full timestamp instead of date_hours

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to change timechart data points to reflect full timestamp instead of date_hours

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...