Modifying x-axis format

user789 · ‎06-02-2020

I am trying to re-format the x-axis time to read cleaner. Here is my spl:
index="servers" source="/var/log/secure" action=failure
| timechart count
| eval time=_time
|table time count
| fieldformat time=strftime(time, "%Y%m%d%H%M")

How can I get it in a format like %Y-%m-%d %H:%M ?

richgalloway · ‎06-02-2020

fieldformat should be all you need.

index="servers" source="/var/log/secure" action=failure
| timechart count
| fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M")

---
If this reply helps you, Karma would be appreciated.

user789 · ‎06-02-2020

When I try this, I don't get any results.

richgalloway · ‎06-02-2020

It works for me, but the format of _time changes only in the timechart output - not in the visualization. The viz appears to be fixed.

---
If this reply helps you, Karma would be appreciated.

user789 · ‎06-02-2020

With this I get a visualization with count on the bottom, then above that, another x-axis labeled" _span".

richgalloway · ‎06-03-2020

I don't know where "_span" is coming from. On my system it's "_time".
You can turn off the x-axis label, by the way. Click the format icon on the viz and there will be options to control the x-axis, y-axis, legend, and other settings.

---
If this reply helps you, Karma would be appreciated.

Modifying x-axis format

chart

eval

table

timechart

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector