Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to show values of 1 hour increments on the x-axis of the chart?

L064979
Engager
‎01-07-2015 05:11 PM

I have this search string shown below, it is perfect except that it does not show any values of the X-axis of the chart. What i'm wanting is to have hourly increments on the x-axis i.e. 12, 1, 2, etc... Your time is appreciated!

index = ims IMS1 earliest = -90d@d latest = -1d@d 
| eval dow = tonumber(strftime(_time,"%w")) 
| where dow!=0 AND dow!=6 
| eval TDay=strftime(now(), "%F") 
| eval QDay=strftime(_time,"%F") 
| convert timeformat="%Y-%m-%d" mktime(TDay) 
| convert timeformat="%Y-%m-%d" mktime(QDay) 
| eval tdiff=(TDay-QDay)/86400 
| eval new_time=_time+86400*tdiff 
| eval _time=if(isnotnull(new_time), new_time, _time) 
| eval Max_Peak = 20000 
|bin _time span=15m 
|stats first(Max_Peak) as Max_Peak avg(Tran_Count) as Normal_Day perc95(Tran_Count) as tempUpper perc10(Tran_Count) as Lower by _time 
| eval Upper=tempUpper-Lower 
| table _time Upper Normal_Day Lower Max_Peak
| join type=outer _time   [search index = ims IMS1 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS1_Today_AVG]
| join type=outer _time   [search index = ims IMS2 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS2_Today_AVG]
| join type=outer _time   [search index = ims IMS3 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS3_Today_AVG]
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

View solution in original post

Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...