Splunk Search

How to rename the X-axis points in my chart from month number to month name?

pal4life
Path Finder

Hello,
Right now on my line chart, the months are labelled as 1, 2, 3 - I would like them to be displayed as Jan, Feb, Mar. How do I do that?
This is currently just a search from my csv upload:

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | chart first(Value) over Months by Application | 

Thanks.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this
Updated

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%m. %b")| chart first(Value) over Months by Application 

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table Application, 1, 2, 3 | untable Application Months Value
| chart first(Value) over Months by Application
| fieldformat Months=strftime(strptime(Months . " 1 2017", "%m %d %Y"), "%b")
0 Karma

woodcock
Esteemed Legend

Like this:

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table Application, 1, 2, 3 | untable Application Months Value
| chart first(Value) over Months by Application
| fieldformat Months=case((Months=1),  "Jan",
                          (Months=2),  "Feb",
                          (Months=3),  "Mar",
                          (Months=4),  "Apr",
                          (Months=5),  "May",
                          (Months=6),  "Jun",
                          (Months=7),  "Jul",
                          (Months=8),  "Aug",
                          (Months=9),  "Sep",
                          (Months=10), "Oct",
                          (Months=11), "Nov",
                          (Months=12), "Dec")
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this
Updated

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%m. %b")| chart first(Value) over Months by Application 
0 Karma

pal4life
Path Finder

Error in 'eval' command: The expression is malformed. Expected ).
And then it gives Error in 'eval' command: The arguments to the 'strptime' function are invalid.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Oops. Try now.

0 Karma

pal4life
Path Finder

That works but then it again starts showing me Feb first then Jan then Mar. I had to upload with the Month nos so that I get the Months accordingly but Splunk seems to keep giving me Feb before Mar, even adding a sort Months ascending in the end does not seem to help.
Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See if updated answer helps. (output will be like 1. Jan, 2. Feb... etc). Else try this

source="Dashboard-3-17-2017-Splunk-Month-1.csv" host="splunk.engine.host" index="security" sourcetype="csv" | table Application, 1, 2, 3 | untable Application Months Value| chart first(Value) over Months by Application   | eval Months=strftime(strptime("2017-".Months."-01","%Y-%m-%d"),"%b")
0 Karma

pal4life
Path Finder

This one worked form me

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...