Hi, I would like to create a time chart for a specified time suppose 8AM to 2PM everyday for last 30 days. I am able to chart it however in visualisation, the line from 2PM to next day 8AM is a straight line.
How can we exclude that line for duration(2PM to next day 8AM) and just show chart for 8AM to 2PM everyday as a single line.
Can we exclude the Green box line?
Query Used(just conditions):
| eval hour=tonumber(strftime(_time,"%H"))
| where hour >=8
| where hour <=14
| fields - hour
Because you are using _time as your x-axis, the chart will show all times in your time range. You could change your chart settings so that the lines are not joined
Alternatively, you could rename the _time field to something else, but then you would also have to format the time - you may also have to remove events where the value is null (depending on how your search is setup)
| rename _time as time
| fieldformat time=strftime(time,"%F %T")
However, this is likely to lead to the x-axis values having ellipses in, so you could rotate the labels
If you only have one count to display, another potentially useful visualization is to shift all days into one 24-hour period. Here is a demonstration for 9am - 5pm:
| tstats count where index=_internal earliest=-30d latest=+0d@d by _time span=1h
| eval day = relative_time(_time, "-0d@d")
| where relative_time(_time, "-8h@h") > day AND relative_time(_time, "-18h@h") < day
| timechart span=1h sum(count)
| timewrap 1day
Because you are using _time as your x-axis, the chart will show all times in your time range. You could change your chart settings so that the lines are not joined
Alternatively, you could rename the _time field to something else, but then you would also have to format the time - you may also have to remove events where the value is null (depending on how your search is setup)
| rename _time as time
| fieldformat time=strftime(time,"%F %T")
However, this is likely to lead to the x-axis values having ellipses in, so you could rotate the labels
