Splunk Search

How to edit my search to create a bubble chart with dates shown on X axis?

New Member

I have a search that returns me 3 fields (let's say country, _time, count)

I want to show these results in a bubble chart but the X axis (_time) instead of returning dates, it returns 0, 1, 2, 3 etc - it's as if instead of taking the actual date it is taking the line number where the _time field is populated and using that.

I've been playing with date formats and other options but it makes no difference.

Hopefully one of you Splunk gurus can put me out of my misery and let me know what I'm doing wrong!

0 Karma

Path Finder

If you add an ID to the panel "bubblechart", then add this as a script to the dashboard, it'll re-write the epoch time strings to a date format. Verified working on Splunk 6.4.4.

require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) {
        setTimeout(function(){
                $('#bubblechart').find('.highcharts-xaxis-labels').children('text').each(function(){
                        var epochtime = parseInt($(this).html().replace(/\,/g,''),10);
                        var objDate = new Date(epochtime*1000);
                        $(this).html(objDate.toLocaleDateString('en-US'));
                });
        }, 1000);
});
0 Karma

SplunkTrust
SplunkTrust

Use bin to turn the _time field into dates/days.

| bin _time as MyDate span=1d
| table country, MyDate, count 

Sounds like currently it's presenting as minutes or something.

0 Karma

New Member

Hi DalJeanis - this gets me a bit closer; my _time Axis (now MyDate) now shows epoch time

...the only problem is if I use a convert or eval time=strftime to make the date more readable the info is no longer passed to the chart.

The date is showing correctly in the data under the chart but if I hover over a bubble inside the chart MyDate shows as 0

0 Karma

SplunkTrust
SplunkTrust

what happens if you do this?

 | bin _time span=1d
 | table country, _time, count 
0 Karma

New Member

If I change it then it puts me back to my X axis showing 1, 2, 3 , 4 rather than epoch time....

0 Karma

New Member

I'm going to assume it's got something to do with the bubble chart needing a stats command to generate the fields it uses.....that must mess up whatever exists in the _time field so it doesn't display. I'll play some more but this may be one of those "you can't do it" moments....

0 Karma

SplunkTrust
SplunkTrust

Hi andyp54,
if you see in the Dashboard example Bubblechart (see https://splunkbase.splunk.com/app/1603/) with the bubblechart graph you can use only two parameters (your have three: country, _time, EventCode!).
Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Actually, by definition of a bubble chart, it's three - X value, Y value, and size of the bubble. The splunk bubble chart also allows a fourth, using a different color for different series.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/BubbleChart

0 Karma

New Member
index=?? sourcetype=?? country=* | bucket  _time span=1d | stats count by country, _time, EventCode (span of 30 days)

replaced my real index & sourcetype with ?? above but the query works in real life.

I get a nice stats page with results grouped by day but my over in visualizations > bubble chart my X axis (_time) goes from 0 - 58)

Thanks Giuseppe!

0 Karma

SplunkTrust
SplunkTrust

Can you share your search?
Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!