I'm trying to create a chart that has the time of day on the y axis. I have a results table that looks like this:
Database Time_of_Day db_1 10:00 db_2 10:05 db_3 13:30
If I do a "chart max(TimeofDay) by Database" I see results in the results table but nothing in any of the chart types. What am I missing here? How do I tell splunk to use a time scale for the Y axis?
The problem that I see here is that there is no truly "graphable" data in your output.
You cannot tell Splunk to use a time-scale on the Y axis. At least not for
timechart: by definition, the Y axis must be the numeric result of one of the
timechart functions, and none of them return time values.
max(Time_of_Day) will work only if
Time_of_Day is numeric - otherwise it returns null values.
You could do something like this
yoursearchhere | timechart span=30m count by Database
which will graph the count of events attributable to each database.
You might also look at the
xyseries command, but I am not sure that it will do what you want, either...