Splunk Search

Trendline over time, displaying time values on x-axis

Path Finder

Hi,

I'm trying to plot a dataset over time. Here is my query:

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
| eval run_name=exp
| eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
| eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
| eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
| eval time_to_setup=(xfer_start-exp_start)/60
| eval Time = strftime(_time, "%m/%d %H:%M")
| search time_to_setup < 500
| chart values(time_to_setup) AS "Time to setup (Min)" by Time

This allows me to plot a trendline of timetosetup over the course of a day. The issue is that there are so many x values that no labels show up on x-axis. Looking at the chart you can see the trend over time but there's no way to see when during the day the events occurred without hovering over the chart. This report is distributed as a pdf in an email so it's not viable to have users go onto the dashboard itself to see this.

I was wondering if there was a way to simply have a marker for every two hours (12 markers across a day) so that at face value the relative time of day that the event occurred can be determined.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

View solution in original post

0 Karma

Path Finder

I'm unsure what you mean. Do you mean changing the interval? Or binning my y-values? I attached a sample of what the dataset looks like. It's plotted on a line chart. Each Time/Time to setup is associated with a single experiment.

Time    Time to setup (Min)
12/06 11:26 8.183333
12/06 11:27 7.766667
12/06 11:31 7.783333
12/06 11:33 7.383333    
0 Karma

SplunkTrust
SplunkTrust

Yes. Binning the time by 10 min or so and using avg in chart command instead of valuea function.

0 Karma

Path Finder

Binning it by 10 minutes still wasn't sufficient. I had to bin it by 2h to get labels to start showing up. This should work fine though. Thanks, could you resubmit this as an answer so I can accept it?

0 Karma

SplunkTrust
SplunkTrust

Here you go. Before we close this question, can you give this a try as well (avoid explicit binning).

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
 | eval run_name=exp
 | eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
 | eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
 | eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
 | eval time_to_setup=(xfer_start-exp_start)/60 
 | search time_to_setup < 500
 | timechart avg(time_to_setup) AS "Time to setup (Min)" 
 | fieldformat _time=strftime(_time, "%m/%d %H:%M")
0 Karma

Path Finder

Is there a reason why we want to avoid binning? This does successfully bin every half hour but still too many labels for them to show up on the x-axis.

0 Karma

Super Champion

how many days are you running this for?

0 Karma

Path Finder

Just the past 24 hours

0 Karma