Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to show values of 1 hour increments on the x-axis of the chart?

L064979
Engager
‎01-07-2015 05:11 PM

I have this search string shown below, it is perfect except that it does not show any values of the X-axis of the chart. What i'm wanting is to have hourly increments on the x-axis i.e. 12, 1, 2, etc... Your time is appreciated!

index = ims IMS1 earliest = -90d@d latest = -1d@d 
| eval dow = tonumber(strftime(_time,"%w")) 
| where dow!=0 AND dow!=6 
| eval TDay=strftime(now(), "%F") 
| eval QDay=strftime(_time,"%F") 
| convert timeformat="%Y-%m-%d" mktime(TDay) 
| convert timeformat="%Y-%m-%d" mktime(QDay) 
| eval tdiff=(TDay-QDay)/86400 
| eval new_time=_time+86400*tdiff 
| eval _time=if(isnotnull(new_time), new_time, _time) 
| eval Max_Peak = 20000 
|bin _time span=15m 
|stats first(Max_Peak) as Max_Peak avg(Tran_Count) as Normal_Day perc95(Tran_Count) as tempUpper perc10(Tran_Count) as Lower by _time 
| eval Upper=tempUpper-Lower 
| table _time Upper Normal_Day Lower Max_Peak
| join type=outer _time   [search index = ims IMS1 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS1_Today_AVG]
| join type=outer _time   [search index = ims IMS2 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS2_Today_AVG]
| join type=outer _time   [search index = ims IMS3 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS3_Today_AVG]
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

View solution in original post

Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...