Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit the x-axis label for timechart to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What seemed easy is not as easy as i thought.
Here is my usecase:
One of the fields i have is called Latency. I want average on it over time.
So, my search is like this:
index=index_name | timechart bins=1000 avg(Latency)
Everthing is fine except the x-axis labeling which says 3:58:00 PM, Mon Apr 13 2015
I would like the label to be
0, 60, 120, 180 (representing seconds)
(or) 0,1,2,3,.. representing minutes.
What is the correct approach to do these type of calculations?
Macros or Python scripts or export the xml dashboard to html and manipulate the data with javascript?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can achieve this by adding some additional commands to the end of your search:
index=index_name
| timechart bins=1000 avg(Latency) as AvgLatency
| eventstats earliest(_time) as etime
| eval ntime=_time-etime
| table ntime AvgLatency
The eventstats line adds a field called etime containing the earliest timestamp in your graph. The eval pushes all the times back by that amount, leaving you with a graph starting at 0. Then just table those fields and draw your graph.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can achieve this by adding some additional commands to the end of your search:
index=index_name
| timechart bins=1000 avg(Latency) as AvgLatency
| eventstats earliest(_time) as etime
| eval ntime=_time-etime
| table ntime AvgLatency
The eventstats line adds a field called etime containing the earliest timestamp in your graph. The eval pushes all the times back by that amount, leaving you with a graph starting at 0. Then just table those fields and draw your graph.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent. Thanks aweitzman.
Your explanation was even better.
However, while charting, the x-axis label just says ntime. How to make it to say 0,60,...?
In general, i have trouble with the following:
1. making a two column table to appear as a chart. Column-1 is x-axis and Column-2 is y-axis.
2. How to make x-axis labels skip every n units. (For example, if i have 0-180 in column-1, then i would like to have 0,30,60...180 - meaning label every 30th instead of crowding x-axis)
thanks
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In general, if you make any two-column table with numbers in the second column, you should be able to chart it just by clicking the "Visualization" tab and choosing a line, area or column chart.
In your case, you have too many data points for the x-axis to show each one. There is no room for 1000 data points with numbers across, even across two very wide screens (I just tried). Your best hope is to (a) reduce the number of data points, and (b) go into the Format/X-Axis section of your chart and rotate the labels. There isn't any obvious provision for skipping labels, as far as I can tell.
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
What’s New & Next in Splunk SOAR
