Splunk Search

How to set x-axis time intervals for a line chart?

AzySidhe
Explorer

I've read over all of the other variations of this question, but I haven't been able to make this work.

I have a search that runs for the Last 7 days that checks for events between 08:30 and 17:30 and then charts out a numerical value known as 'capture_value'. The end goal is to have each date as its own line along the same time frame. The time value that is used is a field in the log file rather than _time, however, I have been able to modify the search to use strftime(_time, "%H:%M:%S") and it works just the same. As the data comes in 5 minute increments, there are too many data points to display along the x-axis.

Is it possible to change this to be every hour or 30 minutes? I have tried to make this work with a timechart, but it doesn't give the results broken down by date over time like I want.

host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") | chart values(capture_value) as COUNT by capture_time, capture_date useother=f limit=0

alt text

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

 host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") 
| eval pretend_everything_happened_today = capture_time . " " . strftime(now(), "%Y-%m-%d")
| eval _time = strptime(pretend_everything_happened_today , "%Y-%m-%d &H:%M:%S")
| timechart span=5m avg(capture_value) AS COUNT BY capture_date

View solution in original post

woodcock
Esteemed Legend

Try this:

 host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") 
| eval pretend_everything_happened_today = capture_time . " " . strftime(now(), "%Y-%m-%d")
| eval _time = strptime(pretend_everything_happened_today , "%Y-%m-%d &H:%M:%S")
| timechart span=5m avg(capture_value) AS COUNT BY capture_date

AzySidhe
Explorer

Thank you so much! This set me on the right path! I had to modify the strptime a little as the date format was swapped (it needed to be "%H:%M:%S %Y-%m-%d") but this worked!

0 Karma

0YAoNnmRmKDg
Path Finder

have you tried

my awesome search | timechart span=30m count foo blah blah

span=30m will force Splunk to break into 30 minute segments

is that what you mean?

0 Karma

AzySidhe
Explorer

Close, but not quite. I have tried that and while it does break it down, the x-axis remains the full 7 days instead of the 8:30 - 17:30

0 Karma

woodcock
Esteemed Legend

I do not understand. Are you saying that you would like each line on the line graph to represent a day (e.g. "today", "yesterday", "today-2", etc.) If you will mock up a picture then I am sure that I can help you do this. Your description is unclear to me.

0 Karma

AzySidhe
Explorer

I've added a picture of what I'm currently seeing. What I would like to see along the X-axis is hourly increments from 8:30 - 17:30 but I can't make it show. The data points are every 5 minutes which results in Splunk turning the labels off by default.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...