Solved: Re: [Need Help] how to reverse the time scale and ...

cheriemilk · ‎10-21-2020

Hi team,

I have below query

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| timechart count by SFDC useother=false limit=0

the timechart returned as below.

Now I want to adjust the _time scale in x axis to display from latest to earliest which means put the latest _time and corresponding count in the left.

How should I modify my query to achieve this adjustment?

ITWhisperer · ‎10-26-2020

@cheriemilk

It seems to work with rename as well

<Base Query>
| bin span=2h _time
| stats count as number by _time SFDC
| rename _time as Time
| chart values(number)  by Time SFDC limit=0 useother=f
| reverse

Although you might still need to format the field if that's important to you

View solution in original post

cheriemilk · ‎10-25-2020

@ITWhisperer

I found this way works:

| bin span=2h _time

| stats count as number by _time SFDC

| eval Time=strftime(_time,"%Y/%m/%d %H:%M")

| chart values(number) by Time SFDC limit=0 useother=f

| reverse

ITWhisperer · ‎10-26-2020

@cheriemilk

It seems to work with rename as well

<Base Query>
| bin span=2h _time
| stats count as number by _time SFDC
| rename _time as Time
| chart values(number)  by Time SFDC limit=0 useother=f
| reverse

Although you might still need to format the field if that's important to you

cheriemilk · ‎10-26-2020

@ITWhisperer Thanks.

bowesmana · ‎10-21-2020

I don't think it's sensibly possible with timecharts. You can covert time to some string value, which is sorted datewise, but you will be limited on number of data points.

| timechart span=1h count
| reverse
| eval t=strftime(_time,"%F %T")
| table t count

but it's not really what you're after

cheriemilk · ‎10-22-2020

I tried with stats and chart . but the chart doesn't reverse as expected.

baseQuery

| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h _time

| stats count by _time SFDC

| chart values(count) by _time, SFDC

| reverse

ITWhisperer · ‎10-22-2020

It appears that chart will order time earliest to latest. The closest I have got is this

baseQuery
``` new time as number of second until next hour ```
| eval time=relative_time(relative_time(now(),"@h")+3600-_time,"@h") 
``` 2 hour bins using new time ```
| bin span=2h time
``` stats using new time ```
| stats count by time SFDC
``` reformat new time for display purposes ```
| fieldformat time=strftime(relative_time(now(),"@h")+3600-time,"%Y-%m-%d %H:%M") 
``` new time as x-axis, count as y-axis, SFDC series ```
| xyseries time, SFDC, count

The problem with this is that the values on the x-axis are not displayed nicely.

cheriemilk · ‎10-22-2020

Hi @ITWhisperer

there's no direct way to reverse the time order in timechart, right?

[Need Help] how to reverse the time scale and corresponding count in x axis from timechart.

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation