Splunk Search

Trendline over time, displaying time values on x-axis

byu168
Path Finder

Hi,

I'm trying to plot a dataset over time. Here is my query:

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
| eval run_name=exp
| eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
| eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
| eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
| eval time_to_setup=(xfer_start-exp_start)/60
| eval Time = strftime(_time, "%m/%d %H:%M")
| search time_to_setup < 500
| chart values(time_to_setup) AS "Time to setup (Min)" by Time

This allows me to plot a trendline of time_to_setup over the course of a day. The issue is that there are so many x values that no labels show up on x-axis. Looking at the chart you can see the trend over time but there's no way to see when during the day the events occurred without hovering over the chart. This report is distributed as a pdf in an email so it's not viable to have users go onto the dashboard itself to see this.

I was wondering if there was a way to simply have a marker for every two hours (12 markers across a day) so that at face value the relative time of day that the event occurred can be determined.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

0 Karma

byu168
Path Finder

I'm unsure what you mean. Do you mean changing the interval? Or binning my y-values? I attached a sample of what the dataset looks like. It's plotted on a line chart. Each Time/Time to setup is associated with a single experiment.

Time    Time to setup (Min)
12/06 11:26 8.183333
12/06 11:27 7.766667
12/06 11:31 7.783333
12/06 11:33 7.383333    
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes. Binning the time by 10 min or so and using avg in chart command instead of valuea function.

0 Karma

byu168
Path Finder

Binning it by 10 minutes still wasn't sufficient. I had to bin it by 2h to get labels to start showing up. This should work fine though. Thanks, could you resubmit this as an answer so I can accept it?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here you go. Before we close this question, can you give this a try as well (avoid explicit binning).

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
 | eval run_name=exp
 | eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
 | eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
 | eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
 | eval time_to_setup=(xfer_start-exp_start)/60 
 | search time_to_setup < 500
 | timechart avg(time_to_setup) AS "Time to setup (Min)" 
 | fieldformat _time=strftime(_time, "%m/%d %H:%M")
0 Karma

byu168
Path Finder

Is there a reason why we want to avoid binning? This does successfully bin every half hour but still too many labels for them to show up on the x-axis.

0 Karma

cmerriman
Super Champion

how many days are you running this for?

0 Karma

byu168
Path Finder

Just the past 24 hours

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...