Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split time equally in bar chart

th1agarajan
Path Finder
‎06-30-2014 06:03 PM 
index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]*:){4}\s(?P<TIMESTAMP>(?P<Date>[^T]*)T(?P<Time>[^\-]*))-(?:[^,]*,){6}(?P<SERVICENAME>[^,]+),(?P<OPERATION>[^,]*),(?P<DURATION>[^(ms)]+)ms" | where DURATION >= 15000 | table DURATION,_time

I'm creating a bar chart from the above search. The problem I'm facing is

  1. I am getting duration in x-axis and time in Y-axis. I need it in vice versa.
  2. I have at least 500 results. Since the result count is more, timestamp value is disappearing. If the result count is around 25 then the timestamp values are visible. I don't want to show all timestamp values in x-axis. My requirement is i am creating report with one day's data. So I want x-axis to be split into 24 pieces (1 hr difference for each point). To make it clear
TimeDuration
10:10:0050
10:12:00150
10:15:00500
11:10:00250
11:30:00510

I don't want five points in x-axis. I need only 2 points (10:00:00, 11:00:00). But i want all the points to be marked in chart. Is there a feature in Splunk to accomplish this?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-01-2014 01:28 AM

You're probably looking for timechart:

... | timechart avg(DURATION)

That will automatically bucket your data into equally sized spans and put the time onto the X-axis.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-01-2014 08:38 AM

In order to have 500 randomly distributed events fit a chart equally and have each and every event appear with its own column you'll need a huge number of columns - way beyond what you can reasonably chart or display.

0 Karma
Reply

th1agarajan
Path Finder
‎07-01-2014 08:35 AM

I don't want to calculate average. i need all points to be plotted in chart(line chart). In Below search if the search results is < 10 I'm able to see the labels. But if the result is > 10 the label stars disappearing. I don't want to show all the time in x-axis. Just 12 points. i.e 00:00, 2:00, 4:00 ..

index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]:){4}\s(?P(?P[^T])T(?P

0 Karma
Reply

Rocket66
Communicator
‎07-01-2014 04:31 AM

and you can define the spans for the (1hour) buckets by:

... | timechart span=1h avg(DURATION)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...