How to get other field on x-axis other than _time?

bollam · ‎07-19-2018

I'm fetching data by hitting an API, and the data I get will be a single event which consists of cpu_used and corresponding time(cpu_time).
The cpu_time will be in the format (1531981800). I need to plot a timechart based on the cpu_used by cpu_time but not _time.
While i'm running following query I'm getting _time in the x-axis but which should suppose to be cpu_used and cpu_used on the y-axis.

x-axis values as follows: i531981800, 1531982400, 1531982700, 1531983000 1531983600
and corresponding y-axis values: 25, 40, 30, 55, 70

Query:
index=sai_core source="saii"
| eval mytime=strftime(cpu_time, "%Y-%m-%d %H:%M:%S")
| timechart span=1h values(cpu_used) by mytime

Shan · ‎07-19-2018

@bollam

Below one is a test query i have provided.
What you need to do is .. Just assign the calculated field mytime to the _time. example | eval _time = mytime .
Then you will get your own time field value in the timechart.

| makeresults 
| eval mytrimexaxis =mvappend("1531981800","1531982400","1531982700","1531983000","1531983600") 
| eval mytime=strftime(mytrimexaxis, "%Y-%m-%d %H:%M:%S")
| eval cpu_usedyaxis  =mvappend("25","40","30","55","70")
| eval _time = mytime      
| mvexpand mytrimexaxis 
| mvexpand cpu_usedyaxis
| timechart span=1h values(cpu_usedyaxis)

If your query is resolved and got the solution ..
Please accept the answer..

bollam · ‎07-21-2018

@Shan,Thanks for the quick response! I gave these four values as an instance, i have got hundreds of such values (cpu_time and cpu_used) in a single event, How do I achieve desired results when having such bunch of values, Can you assist on this can I also get the results using index rather than makeresults command?

How to get other field on x-axis other than _time?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?