Splunk Search

How to edit the x-axis label for timechart to show increments of time (ex: 0, 60, 120 seconds, etc) rather than a timestamp?

vdevarayan
Path Finder

What seemed easy is not as easy as i thought.
Here is my usecase:
One of the fields i have is called Latency. I want average on it over time.
So, my search is like this:

index=index_name |  timechart bins=1000 avg(Latency)

Everthing is fine except the x-axis labeling which says 3:58:00 PM, Mon Apr 13 2015

I would like the label to be
0, 60, 120, 180 (representing seconds)
(or) 0,1,2,3,.. representing minutes.

What is the correct approach to do these type of calculations?
Macros or Python scripts or export the xml dashboard to html and manipulate the data with javascript?

Thanks

0 Karma
1 Solution

aweitzman
Motivator

You can achieve this by adding some additional commands to the end of your search:

index=index_name 
| timechart bins=1000 avg(Latency) as AvgLatency 
| eventstats earliest(_time) as etime 
| eval ntime=_time-etime 
| table ntime AvgLatency

The eventstats line adds a field called etime containing the earliest timestamp in your graph. The eval pushes all the times back by that amount, leaving you with a graph starting at 0. Then just table those fields and draw your graph.

View solution in original post

aweitzman
Motivator

You can achieve this by adding some additional commands to the end of your search:

index=index_name 
| timechart bins=1000 avg(Latency) as AvgLatency 
| eventstats earliest(_time) as etime 
| eval ntime=_time-etime 
| table ntime AvgLatency

The eventstats line adds a field called etime containing the earliest timestamp in your graph. The eval pushes all the times back by that amount, leaving you with a graph starting at 0. Then just table those fields and draw your graph.

vdevarayan
Path Finder

Excellent. Thanks aweitzman.
Your explanation was even better.

However, while charting, the x-axis label just says ntime. How to make it to say 0,60,...?

In general, i have trouble with the following:
1. making a two column table to appear as a chart. Column-1 is x-axis and Column-2 is y-axis.
2. How to make x-axis labels skip every n units. (For example, if i have 0-180 in column-1, then i would like to have 0,30,60...180 - meaning label every 30th instead of crowding x-axis)

thanks

thanks

0 Karma

aweitzman
Motivator

In general, if you make any two-column table with numbers in the second column, you should be able to chart it just by clicking the "Visualization" tab and choosing a line, area or column chart.

In your case, you have too many data points for the x-axis to show each one. There is no room for 1000 data points with numbers across, even across two very wide screens (I just tried). Your best hope is to (a) reduce the number of data points, and (b) go into the Format/X-Axis section of your chart and rotate the labels. There isn't any obvious provision for skipping labels, as far as I can tell.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...