I have a requirement to display the count of data received over the last 7 days. I need to show the total with a data point every 15 minutes and the count should reset (start over at 0) at midnight. (The graph looks like a saw tooth, growing til midnight then a line down to 0 and starting to grow again). The search I have is working great. I just need to somehow display the time (mm/dd hh:mm) on the x-axis.
This is my search:
index=foo | timechart span=15m count as count | addtotals fieldname=count | eval time=strftime(_time,"%H:%M") | streamstats sum(count) as totalCount reset_after="("match(time,\"23:45\")")" |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")
This generates the correct data points, but there are no labels on the x-axis where I'd like the _time to display. Currently the user must hover over a datapoint to see what date they are looking at.
Any ideas?
Give this a try
index=foo | timechart span=15m count | eval day=relative_time(_time,"@d") | streamstats sum(count) as totalCount by day |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")