Splunk Search

How to split time equally in bar chart

Path Finder
index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]*:){4}\s(?P<TIMESTAMP>(?P<Date>[^T]*)T(?P<Time>[^\-]*))-(?:[^,]*,){6}(?P<SERVICENAME>[^,]+),(?P<OPERATION>[^,]*),(?P<DURATION>[^(ms)]+)ms" | where DURATION >= 15000 | table DURATION,_time

I'm creating a bar chart from the above search. The problem I'm facing is

  1. I am getting duration in x-axis and time in Y-axis. I need it in vice versa.
  2. I have at least 500 results. Since the result count is more, timestamp value is disappearing. If the result count is around 25 then the timestamp values are visible. I don't want to show all timestamp values in x-axis. My requirement is i am creating report with one day's data. So I want x-axis to be split into 24 pieces (1 hr difference for each point). To make it clear
TimeDuration
10:10:0050
10:12:00150
10:15:00500
11:10:00250
11:30:00510

I don't want five points in x-axis. I need only 2 points (10:00:00, 11:00:00). But i want all the points to be marked in chart. Is there a feature in Splunk to accomplish this?

0 Karma

SplunkTrust
SplunkTrust

You're probably looking for timechart:

... | timechart avg(DURATION)

That will automatically bucket your data into equally sized spans and put the time onto the X-axis.

0 Karma

SplunkTrust
SplunkTrust

In order to have 500 randomly distributed events fit a chart equally and have each and every event appear with its own column you'll need a huge number of columns - way beyond what you can reasonably chart or display.

0 Karma

Path Finder

I don't want to calculate average. i need all points to be plotted in chart(line chart). In Below search if the search results is < 10 I'm able to see the labels. But if the result is > 10 the label stars disappearing. I don't want to show all the time in x-axis. Just 12 points. i.e 00:00, 2:00, 4:00 ..

index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]:){4}\s(?P(?P[^T])T(?P

0 Karma

Communicator

and you can define the spans for the (1hour) buckets by:

... | timechart span=1h avg(DURATION)

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!