I faced this problem when implemented "Export" functionality to my reports. Unfortunately, time there was only displayed as a non-readable timestamp, so I had to convert the _time value to a human-readable string.
It resulted in my X-axis to look like a complete mess
It seems that the _time change has also changed my span parameter, though it's actually empty. Anyway, the thing is that I now need span=2h for the search results (i.e. the actual line), but I don't need to see that many "time sockets" on the bottom.
What I'm looking for is something like the default timeline, like that:
Where report's line does not necessarily have a timeline slot allocated at each results set.
So I was wondering, if there is a module or a parameter that I can use in order to specify the span parameter particularly for the timeline, not for the whole search.
Alternatively, is there a way to format the _time value exported into the CSV, so that the online report will remain untouched?
yoursearchstuffhere | eval timestamp = strftime(_time,"%x %X") | exportstuffhere | timechart span=1h fixedrange=f fieldtoChart
What this does is create a new field called
timestamp that is human-readable. Export that, and don't jank with _time. (You can, but it makes a mess as you see.) I may not have the span option set the way you want on the timechart, but I think you can see the options. Once you get the timechart, choose Format Options to change it to a bar chart and it will look more like the timeline.
I hope I understood the question!
The thing is that I'm using Export module in order to export my reports. It's not query-based.
I thought about the idea you suggest, but couldn't find any documented information on how to specify inputs for the Export module.