Solved: How to set x-axis time intervals for a line chart?

AzySidhe · ‎03-01-2016

I've read over all of the other variations of this question, but I haven't been able to make this work.

I have a search that runs for the Last 7 days that checks for events between 08:30 and 17:30 and then charts out a numerical value known as 'capture_value'. The end goal is to have each date as its own line along the same time frame. The time value that is used is a field in the log file rather than _time, however, I have been able to modify the search to use strftime(_time, "%H:%M:%S") and it works just the same. As the data comes in 5 minute increments, there are too many data points to display along the x-axis.

Is it possible to change this to be every hour or 30 minutes? I have tried to make this work with a timechart, but it doesn't give the results broken down by date over time like I want.

host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") | chart values(capture_value) as COUNT by capture_time, capture_date useother=f limit=0

woodcock · ‎04-02-2016

Try this:

 host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") 
| eval pretend_everything_happened_today = capture_time . " " . strftime(now(), "%Y-%m-%d")
| eval _time = strptime(pretend_everything_happened_today , "%Y-%m-%d &H:%M:%S")
| timechart span=5m avg(capture_value) AS COUNT BY capture_date

View solution in original post

woodcock · ‎04-02-2016

Try this:

 host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") 
| eval pretend_everything_happened_today = capture_time . " " . strftime(now(), "%Y-%m-%d")
| eval _time = strptime(pretend_everything_happened_today , "%Y-%m-%d &H:%M:%S")
| timechart span=5m avg(capture_value) AS COUNT BY capture_date

AzySidhe · ‎04-04-2016

Thank you so much! This set me on the right path! I had to modify the strptime a little as the date format was swapped (it needed to be "%H:%M:%S %Y-%m-%d") but this worked!

0YAoNnmRmKDg · ‎03-01-2016

have you tried

my awesome search | timechart span=30m count foo blah blah

span=30m will force Splunk to break into 30 minute segments

is that what you mean?

AzySidhe · ‎03-05-2016

Close, but not quite. I have tried that and while it does break it down, the x-axis remains the full 7 days instead of the 8:30 - 17:30

woodcock · ‎03-01-2016

I do not understand. Are you saying that you would like each line on the line graph to represent a day (e.g. "today", "yesterday", "today-2", etc.) If you will mock up a picture then I am sure that I can help you do this. Your description is unclear to me.

AzySidhe · ‎03-05-2016

I've added a picture of what I'm currently seeing. What I would like to see along the X-axis is hourly increments from 8:30 - 17:30 but I can't make it show. The data points are every 5 minutes which results in Splunk turning the labels off by default.

How to set x-axis time intervals for a line chart?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?