Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

convert thousand to K in timechart

jrodriguezap
Contributor
‎08-07-2014 09:24 PM

Hi!!
Please, someone who perhaps has ever happened, I'm generating a report with timechart, but the Y value reaches thousands and millions. I wish for these cases, the value becomes 1K or 1M, without the graphic timechart deformed.
My query

search ... | timechart span=10m count by state

Under a modified image with the desired outcome to be more clear
alt text

Thank you in advance.

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-08-2014 03:17 AM

Your screenshot suggests you want to squish the range from 75k to 1M into one 25k range, and leave 0k to 75k unsquished?

That can be done with a bit of Splunk search foo, but the display isn't going to tell the user about it. Here's an idea:

your search | timechart count by state | foreach * [eval <<FIELD>> = if('<<FIELD>>' <= 75000, '<<FIELD>>', 75000 + (('<<FIELD>>'-75000)*(25000/975000)))]

That will scale the graph above 75k such that 1M will fall onto 100k... but the values shown in the chart are the squished values, not the original values.

What you actually need is a more flexible charting library that allows you nonlinear scales beyond simple logarithmic scales. If such a thing exists in the Javascript framework world then you can build it into your Splunk.

0 Karma
Reply

jrodriguezap
Contributor
‎08-08-2014 07:57 AM

Oh, I see it is complicated.
Since there is no function or style to convert these values​​, an alternative would be suspected Javascript.
Hopefully sometime Splunk can have this option, it would be good to show what great graphics figures.
Thank you all!

0 Karma
Reply

Suda
Communicator
‎08-08-2014 12:00 AM

I think it would be very hard. I have an idea but it can support only "K" or "M".

Could you try the following search query?

(your search) 
| bucket span=10m
| stats count by state _time
| eval k=count/1000
| timechart span=10m sum(k) AS count by state

Thanks.

0 Karma
Reply

strive
Influencer
‎08-08-2014 03:57 AM

What he needs is Unit K or M, your eval will just convert the number but it wont add unit K at the end of the converted number.

0 Karma
Reply

Lucas_K
Motivator
‎08-07-2014 10:12 PM

You could always just eval the count down by some factor.

search ... | stats count by state | eval k=count/1000 | timechart span=10m k by state

You could also use a logarithmic y axis in your timechart. If you data is regularly having peaks like that.

0 Karma
Reply

strive
Influencer
‎08-08-2014 04:01 AM

What he needs is Unit K or M, your eval will just convert the number but it wont add unit K at the end of the converted number.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...