Hi guys,
I faced this problem when implemented "Export" functionality to my reports. Unfortunately, time there was only displayed as a non-readable timestamp, so I had to convert the _time value to a human-readable string.
It resulted in my X-axis to look like a complete mess
It seems that the _time change has also changed my span parameter, though it's actually empty. Anyway, the thing is that I now need span=2h for the search results (i.e. the actual line), but I don't need to see that many "time sockets" on the bottom.
What I'm looking for is something like the default timeline, like that:
Where report's line does not necessarily have a timeline slot allocated at each results set.
So I was wondering, if there is a module or a parameter that I can use in order to specify the span parameter particularly for the timeline, not for the whole search.
Alternatively, is there a way to format the _time value exported into the CSV, so that the online report will remain untouched?
Thanks.
Try this:
yoursearchstuffhere |
eval timestamp = strftime(_time,"%x %X") |
exportstuffhere |
timechart span=1h fixedrange=f fieldtoChart
What this does is create a new field called timestamp
that is human-readable. Export that, and don't jank with _time. (You can, but it makes a mess as you see.) I may not have the span option set the way you want on the timechart, but I think you can see the options. Once you get the timechart, choose Format Options to change it to a bar chart and it will look more like the timeline.
I hope I understood the question!
Should make the module export the results, not the events. This might include the timestamp field. Not sure what other things can be set on the Export.
The thing is that I'm using Export module in order to export my reports. It's not query-based.
I thought about the idea you suggest, but couldn't find any documented information on how to specify inputs for the Export module.
Thanks anyway!