Splunk Search

timechart x-axis tick marks every month

bowesmana
SplunkTrust
SplunkTrust

I want my timechart to show system logins for the last 12 months

my search is sourcetype="logins" | timechart dc(Username)

The graph shows data by month for each month, but the X-axis tick marks and labels are only for November 2012, January 2013, March, May, July, September.

For the life of me, I can't find out how to make it display a tick mark and month name for each month. It's a standard search, but I really want it in a dashboard. I have read about

  <option name="charting.axisLabelsX.majorUnit"> P0Y0M0DT1H0M0S</option>

and the charting.scaleX options, but that makes no difference.

Isn't this is trivial thing to do...

Tags (2)
1 Solution

bowesmana
SplunkTrust
SplunkTrust

This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this

timechart dc(Username)

Gives alternate months

bucket _time span=1mon | stats dc(Username) by _time

Gives the tick marks as full dates including time and TZ offset.

stats dc(Username) by date_month

Gives months with lower case text including first letter, sorted alphabetically.

stats dc(Username) by date_month, date_year  | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year

Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.

So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.

Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...

I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.

View solution in original post

0 Karma

0range
Communicator

This option was working in splunk 4
P0Y0M0DT1H0M0S
now it is not working and it's still no such a problem in "known issues"...

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this

timechart dc(Username)

Gives alternate months

bucket _time span=1mon | stats dc(Username) by _time

Gives the tick marks as full dates including time and TZ offset.

stats dc(Username) by date_month

Gives months with lower case text including first letter, sorted alphabetically.

stats dc(Username) by date_month, date_year  | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year

Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.

So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.

Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...

I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This seems to be working for me. Please check and let me know if works for you as well. (using Sideview for advanced xml).

    <view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
  <label>Test X-axis ticks</label>

  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>

  <module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
            <module name="Search">
          <param name="search">
           sourcetype="logins"  | timechart dc(Username)
          </param>
          <module name="JobProgressIndicator" layoutPanel="panel_row1_col1"></module>
            <module name="HiddenChartFormatter"  layoutPanel="panel_row1_col1">
                <param name="charting.secondaryAxisTitle.text">Count</param>
                <param name="charting.chart">column</param>
                <param name="charting.chart.stackMode">stacked</param>
                <param name="charting.showMarkers">true</param>
                <param name="charting.chart.nullValueMode">zero</param>
                <param name="charting.legend.placement">bottom</param>
                <param name="primaryAxisTitle.text">Minutes</param>
                <param name="charting.scaleX">1</param>
                <param name="charting.axisLabelsX.majorUnit">P0Y1M0DT0H0M0S</param>
                <module name="FlashChart">
                        <param name="width">100%</param>
                        <param name="height">300px</param>
                </module>
            </module>           
        </module>         
  </module>
</view>

bowesmana
SplunkTrust
SplunkTrust

Think I managed to work out why simple XML won't do it. In the advanced XML it specifies


100%



flashtimeline


If I add


100%
300px

that then shows the individual months. Any idea how to make simple XML use FlashChart, not JSChart

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Hi somesoni2. OK, this works for me with the advanced XML, but my dashboard XML is simple XML and that does not seem to work. I converted my dashboard to Advanced XML, but it no longer gives me the same UI and many of my panels do not work - some date problem.

Do you know how to make this X-axis thing work with the simple XML interface - I need to be able to export PDFs so need to stick with the simple XML.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Open the view xml window from manager->user interface ->views and replace everything with the xml I sent.

0 Karma

paranjothi
New Member

Hi I have replaced the xml ,
and while searching I am not getting all x axis to be displaying.

can suggest if any other changes needed

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Thanks for the suggestion. I've not used Sideview, but have now installed it. I don't know where I have to put that XML. I tried adding it inside my

, but I don't see anything different. Where should it go?

0 Karma

ShaneNewman
Motivator
 sourcetype="logins"  | bucket span=1mon _time | timechart dc(Username)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

I did originally use chart dc(Username) by date_month, which does give separate months, but the months are sorted alphabetically, not chronologically. If I do by _time with bucket

sourcetype="logins" | bucket _time span=1mon | chart dc(Username) by _time

that is chronological, but the x-axis labels are 2012-11-0...000 +11:00 etc.

0 Karma

ShaneNewman
Motivator

Instead of using timechart, try just chart dc(Username) by _time

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Thanks Shane, I should have clarified that I get all the data in 1 month buckets OK, it's just the x-axis labels and tick marks that are alternate months.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Makes no difference, the vizualisation still displays just alternate month names in the x-axis.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...