Solved: Timechart with Time (X-) Axis delineated in "T-min...

woodcock · ‎08-01-2014

I have a timechart that shows latency in minutes for the last 24 hours snapped to the hour. What I would like to see for the X-axis is NOT the time of day as is shown by default but The rigthmost point shown as "0" and the leftmost edge shown as either T-1400, -1440 or 1440. The benefit should be obvious: If my latency is running 300 minutes, I need to know where T-300 minutes is because everything after that is useless.

somesoni2 · ‎08-01-2014

Assumming you timechart commmand give _time and latency field, try something like this

Your base search with timechart giving _time and latency field| eventstats max(_time) as T_Minutes| eval T_Minutes=round((_time-T_Minutes)/60) | table T_Minutes, latency

Gives minutes values on x-axis from 0 to 1440 at the interval of 60.

You can format the value of T_Minutes per your need by updating the "| eval T_Minutes..."
e.g. to get x-axis values like T-0, T-180,...T-1440" use this

| eval T_Minutes="T-".round((_time-T_Minutes)/60)

View solution in original post

somesoni2 · ‎08-01-2014

Assumming you timechart commmand give _time and latency field, try something like this

Your base search with timechart giving _time and latency field| eventstats max(_time) as T_Minutes| eval T_Minutes=round((_time-T_Minutes)/60) | table T_Minutes, latency

Gives minutes values on x-axis from 0 to 1440 at the interval of 60.

You can format the value of T_Minutes per your need by updating the "| eval T_Minutes..."
e.g. to get x-axis values like T-0, T-180,...T-1440" use this

| eval T_Minutes="T-".round((_time-T_Minutes)/60)

somesoni2 · ‎08-01-2014

Updated answer to use max(_time) (missed the right most tick should be 0 clue)

Timechart with Time (X-) Axis delineated in "T-minutes before now"?

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk