Hello,
Right now on my line chart, the months are labelled as 1, 2, 3 - I would like them to be displayed as Jan, Feb, Mar. How do I do that?
This is currently just a search from my csv upload:
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | chart first(Value) over Months by Application |
Thanks.
Try like this
Updated
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%m. %b")| chart first(Value) over Months by Application
Like this:
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table Application, 1, 2, 3 | untable Application Months Value
| chart first(Value) over Months by Application
| fieldformat Months=strftime(strptime(Months . " 1 2017", "%m %d %Y"), "%b")
Like this:
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table Application, 1, 2, 3 | untable Application Months Value
| chart first(Value) over Months by Application
| fieldformat Months=case((Months=1), "Jan",
(Months=2), "Feb",
(Months=3), "Mar",
(Months=4), "Apr",
(Months=5), "May",
(Months=6), "Jun",
(Months=7), "Jul",
(Months=8), "Aug",
(Months=9), "Sep",
(Months=10), "Oct",
(Months=11), "Nov",
(Months=12), "Dec")
Try like this
Updated
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%m. %b")| chart first(Value) over Months by Application
Error in 'eval' command: The expression is malformed. Expected ).
And then it gives Error in 'eval' command: The arguments to the 'strptime' function are invalid.
Oops. Try now.
That works but then it again starts showing me Feb first then Jan then Mar. I had to upload with the Month nos so that I get the Months accordingly but Splunk seems to keep giving me Feb before Mar, even adding a sort Months ascending in the end does not seem to help.
Thanks.
See if updated answer helps. (output will be like 1. Jan, 2. Feb... etc). Else try this
source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value| chart first(Value) over Months by Application | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%b")
This one worked form me