Splunk Search

Trendline over time, displaying time values on x-axis

byu168
Path Finder

Hi,

I'm trying to plot a dataset over time. Here is my query:

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
| eval run_name=exp
| eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
| eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
| eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
| eval time_to_setup=(xfer_start-exp_start)/60
| eval Time = strftime(_time, "%m/%d %H:%M")
| search time_to_setup < 500
| chart values(time_to_setup) AS "Time to setup (Min)" by Time

This allows me to plot a trendline of time_to_setup over the course of a day. The issue is that there are so many x values that no labels show up on x-axis. Looking at the chart you can see the trend over time but there's no way to see when during the day the events occurred without hovering over the chart. This report is distributed as a pdf in an email so it's not viable to have users go onto the dashboard itself to see this.

I was wondering if there was a way to simply have a marker for every two hours (12 markers across a day) so that at face value the relative time of day that the event occurred can be determined.

0 Karma
1 Solution

somesoni2
Revered Legend

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

View solution in original post

0 Karma

somesoni2
Revered Legend

Is is possible to increase the duration of your plotted y-axis values (right now you get a bar/line for each minute, so may be increase it to every 10min)?

0 Karma

byu168
Path Finder

I'm unsure what you mean. Do you mean changing the interval? Or binning my y-values? I attached a sample of what the dataset looks like. It's plotted on a line chart. Each Time/Time to setup is associated with a single experiment.

Time    Time to setup (Min)
12/06 11:26 8.183333
12/06 11:27 7.766667
12/06 11:31 7.783333
12/06 11:33 7.383333    
0 Karma

somesoni2
Revered Legend

Yes. Binning the time by 10 min or so and using avg in chart command instead of valuea function.

0 Karma

byu168
Path Finder

Binning it by 10 minutes still wasn't sufficient. I had to bin it by 2h to get labels to start showing up. This should work fine though. Thanks, could you resubmit this as an answer so I can accept it?

0 Karma

somesoni2
Revered Legend

Here you go. Before we close this question, can you give this a try as well (avoid explicit binning).

index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl)
 | eval run_name=exp
 | eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time)
 | eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time)
 | eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name
 | eval time_to_setup=(xfer_start-exp_start)/60 
 | search time_to_setup < 500
 | timechart avg(time_to_setup) AS "Time to setup (Min)" 
 | fieldformat _time=strftime(_time, "%m/%d %H:%M")
0 Karma

byu168
Path Finder

Is there a reason why we want to avoid binning? This does successfully bin every half hour but still too many labels for them to show up on the x-axis.

0 Karma

cmerriman
Super Champion

how many days are you running this for?

0 Karma

byu168
Path Finder

Just the past 24 hours

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...