Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with Time (X-) Axis delineated in "T-minutes before now"?

woodcock
Esteemed Legend
‎08-01-2014 01:47 PM

I have a timechart that shows latency in minutes for the last 24 hours snapped to the hour. What I would like to see for the X-axis is NOT the time of day as is shown by default but The rigthmost point shown as "0" and the leftmost edge shown as either T-1400, -1440 or 1440. The benefit should be obvious: If my latency is running 300 minutes, I need to know where T-300 minutes is because everything after that is useless.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-01-2014 01:59 PM

Assumming you timechart commmand give _time and latency field, try something like this

Your base search with timechart giving _time and latency field| eventstats max(_time) as T_Minutes| eval T_Minutes=round((_time-T_Minutes)/60) | table T_Minutes, latency

Gives minutes values on x-axis from 0 to 1440 at the interval of 60.

You can format the value of T_Minutes per your need by updating the "| eval T_Minutes..."
e.g. to get x-axis values like T-0, T-180,...T-1440" use this 

| eval T_Minutes="T-".round((_time-T_Minutes)/60)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-01-2014 01:59 PM

Assumming you timechart commmand give _time and latency field, try something like this

Your base search with timechart giving _time and latency field| eventstats max(_time) as T_Minutes| eval T_Minutes=round((_time-T_Minutes)/60) | table T_Minutes, latency

Gives minutes values on x-axis from 0 to 1440 at the interval of 60.

You can format the value of T_Minutes per your need by updating the "| eval T_Minutes..."
e.g. to get x-axis values like T-0, T-180,...T-1440" use this 

| eval T_Minutes="T-".round((_time-T_Minutes)/60)
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-01-2014 02:06 PM

Updated answer to use max(_time) (missed the right most tick should be 0 clue)

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...