I want my timechart to show system logins for the last 12 months
my search is sourcetype="logins" | timechart dc(Username)
The graph shows data by month for each month, but the X-axis tick marks and labels are only for November 2012, January 2013, March, May, July, September.
For the life of me, I can't find out how to make it display a tick mark and month name for each month. It's a standard search, but I really want it in a dashboard. I have read about
<option name="charting.axisLabelsX.majorUnit"> P0Y0M0DT1H0M0S</option>
and the charting.scaleX options, but that makes no difference.
Isn't this is trivial thing to do...
This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this
timechart dc(Username)
Gives alternate months
bucket _time span=1mon | stats dc(Username) by _time
Gives the tick marks as full dates including time and TZ offset.
stats dc(Username) by date_month
Gives months with lower case text including first letter, sorted alphabetically.
stats dc(Username) by date_month, date_year | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year
Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.
So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.
Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...
I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.
This option was working in splunk 4
P0Y0M0DT1H0M0S
now it is not working and it's still no such a problem in "known issues"...
This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this
timechart dc(Username)
Gives alternate months
bucket _time span=1mon | stats dc(Username) by _time
Gives the tick marks as full dates including time and TZ offset.
stats dc(Username) by date_month
Gives months with lower case text including first letter, sorted alphabetically.
stats dc(Username) by date_month, date_year | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year
Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.
So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.
Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...
I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.
This seems to be working for me. Please check and let me know if works for you as well. (using Sideview for advanced xml).
<view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
<label>Test X-axis ticks</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
<module name="Search">
<param name="search">
sourcetype="logins" | timechart dc(Username)
</param>
<module name="JobProgressIndicator" layoutPanel="panel_row1_col1"></module>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1">
<param name="charting.secondaryAxisTitle.text">Count</param>
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<param name="charting.showMarkers">true</param>
<param name="charting.chart.nullValueMode">zero</param>
<param name="charting.legend.placement">bottom</param>
<param name="primaryAxisTitle.text">Minutes</param>
<param name="charting.scaleX">1</param>
<param name="charting.axisLabelsX.majorUnit">P0Y1M0DT0H0M0S</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
</module>
</module>
</module>
</module>
</view>
Think I managed to work out why simple XML won't do it. In the advanced XML it specifies
If I add
that then shows the individual months. Any idea how to make simple XML use FlashChart, not JSChart
Hi somesoni2. OK, this works for me with the advanced XML, but my dashboard XML is simple XML and that does not seem to work. I converted my dashboard to Advanced XML, but it no longer gives me the same UI and many of my panels do not work - some date problem.
Do you know how to make this X-axis thing work with the simple XML interface - I need to be able to export PDFs so need to stick with the simple XML.
Open the view xml window from manager->user interface ->views and replace everything with the xml I sent.
Hi I have replaced the xml ,
and while searching I am not getting all x axis to be displaying.
can suggest if any other changes needed
Thanks for the suggestion. I've not used Sideview, but have now installed it. I don't know where I have to put that XML. I tried adding it inside my
sourcetype="logins" | bucket span=1mon _time | timechart dc(Username)
I did originally use chart dc(Username) by date_month, which does give separate months, but the months are sorted alphabetically, not chronologically. If I do by _time with bucket
sourcetype="logins" | bucket _time span=1mon | chart dc(Username) by _time
that is chronological, but the x-axis labels are 2012-11-0...000 +11:00 etc.
Instead of using timechart, try just chart dc(Username) by _time
Thanks Shane, I should have clarified that I get all the data in 1 month buckets OK, it's just the x-axis labels and tick marks that are alternate months.
Makes no difference, the vizualisation still displays just alternate month names in the x-axis.