Please, someone who perhaps has ever happened, I'm generating a report with timechart, but the Y value reaches thousands and millions. I wish for these cases, the value becomes 1K or 1M, without the graphic timechart deformed.
search ... | timechart span=10m count by state
Under a modified image with the desired outcome to be more clear
Thank you in advance.
Your screenshot suggests you want to squish the range from 75k to 1M into one 25k range, and leave 0k to 75k unsquished?
That can be done with a bit of Splunk search foo, but the display isn't going to tell the user about it. Here's an idea:
your search | timechart count by state | foreach * [eval <<FIELD>> = if('<<FIELD>>' <= 75000, '<<FIELD>>', 75000 + (('<<FIELD>>'-75000)*(25000/975000)))]
That will scale the graph above 75k such that 1M will fall onto 100k... but the values shown in the chart are the squished values, not the original values.
Oh, I see it is complicated.
Hopefully sometime Splunk can have this option, it would be good to show what great graphics figures.
Thank you all!
I think it would be very hard. I have an idea but it can support only "K" or "M".
Could you try the following search query?
(your search) | bucket span=10m | stats count by state _time | eval k=count/1000 | timechart span=10m sum(k) AS count by state
You could always just eval the count down by some factor.
search ... | stats count by state | eval k=count/1000 | timechart span=10m k by state
You could also use a logarithmic y axis in your timechart. If you data is regularly having peaks like that.