Solved: How to use timestamp as x axis in chart?

firstname · ‎08-17-2022

Currently I have used a similar query to what is below to plot data on a 24 hour graph.

index=mock_index source=mock_source.log param1 param2 param3
| rex field=_raw "Latency: (?<latency>[0-9]+)"
| eval time = mvjoin(mvindex(split(_raw, " "), 0, 1), " ")
| eval time = strptime(time, "%Y-%m-%d %H:%M:%S,%3N")
| table time, latency

An example event:

2022-08-16 14:04:34,123 INFO [stuff] Latency: 55 [stuff]

Ideally I would like to get latency averages over 5 minute periods, and display the data to a graph where the x-axis labels 30 minute intervals. Given this goal, is strptime() the best way to manage the timestamps in my events?

isoutamo · ‎08-17-2022

Hi

why not use just timechart command?

index=mock_index source=mock_source.log param1 param2 param3
| rex field=_raw "Latency: (?<latency>[0-9]+)"
| timechart span=5m avg(latency) as latency

I expecting that your event's _time is same as your examples date + time.

r. Ismo

View solution in original post

isoutamo · ‎08-17-2022

Hi

why not use just timechart command?

index=mock_index source=mock_source.log param1 param2 param3
| rex field=_raw "Latency: (?<latency>[0-9]+)"
| timechart span=5m avg(latency) as latency

I expecting that your event's _time is same as your examples date + time.

r. Ismo

How to use timestamp as x axis in chart?

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation