Hi Team,
Can any one please provide me any help or clue how to map Dates/time proportionally on X-axis of Splunk Chart?
In the below image, the Date on x-axis is placed at equidistant from others dates, irrespective of the differrence in number of days between the dates.
The First value on x-axis is 27 Jan 2016, 2nd value 10 Feb 2016 (difference in number of days - 14)
The 2nd value on x-axis is 10 Feb 2016 and 3rd value is 02 March 2016 (difference in number of days - 21)
And similarly, there are variations in number of days in the x-axis, but irrespective of difference in number of days between them, they all are placed in equidistant.
Do we have any functionality in Splunk, wherein this situation can be handled and the dates on x-axis are place proportional to the gap between them.
I assume you are using a timechart
without span. Try adding a span
option to your timechart
. Something like this
.... | timechart span=1h cont=t count
This will give you count in 1 hour increments (you can adjust the increments). The cont=t
specifies whether the chart is continuous or not.
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart
Try this:
index=testindex Name=testName | eval fileDate=mvindex(split(mvindex(split(mvindex(split(source,"\\"),-1),"."),0),"_"),1) | eval dateSplit=split(fileDate,"-") | eval _time=mvindex(dateSplit,0).mvindex(dateSplit,1).mvindex(dateSplit,2) | timechart span=7d avg(abc)
Adjust your span
value as you see fit.
Thanks woodcock!
So did this work?
Yes kind off! i was looking for alternatives
But for time being, this can be good to go!
It should already be doing this. We need to see your search string (which is ALWAYS the best idea when posting a question).
Here goes my search query
index=testindex Name=testName | eval fileDate=mvindex(split(mvindex(split(mvindex(split(source,"\"),-1),"."),0),"_"),1) | eval dateSplit=split(fileDate,"-") | eval displayDate=mvindex(dateSplit,0).mvindex(dateSplit,1).mvindex(dateSplit,2) | stats values(abc) by displayDate
I assume you are using a timechart
without span. Try adding a span
option to your timechart
. Something like this
.... | timechart span=1h cont=t count
This will give you count in 1 hour increments (you can adjust the increments). The cont=t
specifies whether the chart is continuous or not.
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart
Hi Sundareshr,
Thanks for your revert!
I am aware of timechart command, but the span option can be pretty usefull when i have atleast a fair idea of difference between the dates.
I can have only 2 days difference to 30-40 days difference in dates in my data, so span doesn't seems to be feasible here, though it can be considered as one way to fix this.
What i wanted was that the location of dates on x-axis is distributed proportionally on the basis of difference between the number of days, instead of equally spaced.
Any other suggestions?
Proportionality is dependent on having a common unit of measure, right in you example it could be seconds, mins, hours, days or weeks. That is what the span command does. Set the common unit. Sounds like the min difference would be in days. I would suggest you could start with 1d
. If that is not granular enough, you can change it to 1h
or 1m
Thanks Sundareshr!
@ashish9433 If this worked, please mark the question as answered to close it out and for others' benefit