Solved: timechart x-axis tick marks every month

bowesmana · ‎11-04-2013

I want my timechart to show system logins for the last 12 months

my search is sourcetype="logins" | timechart dc(Username)

The graph shows data by month for each month, but the X-axis tick marks and labels are only for November 2012, January 2013, March, May, July, September.

For the life of me, I can't find out how to make it display a tick mark and month name for each month. It's a standard search, but I really want it in a dashboard. I have read about

  <option name="charting.axisLabelsX.majorUnit"> P0Y0M0DT1H0M0S</option>

and the charting.scaleX options, but that makes no difference.

Isn't this is trivial thing to do...

bowesmana · ‎12-01-2013

This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this

timechart dc(Username)

Gives alternate months

bucket _time span=1mon | stats dc(Username) by _time

Gives the tick marks as full dates including time and TZ offset.

stats dc(Username) by date_month

Gives months with lower case text including first letter, sorted alphabetically.

stats dc(Username) by date_month, date_year  | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year

Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.

So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.

Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...

I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.

View solution in original post

0range · ‎03-20-2014

This option was working in splunk 4
P0Y0M0DT1H0M0S
now it is not working and it's still no such a problem in "known issues"...

bowesmana · ‎12-01-2013

This is just incredible that such a simple option can't be achieved in a simple way. I've tried so many ways to achieve this

timechart dc(Username)

Gives alternate months

bucket _time span=1mon | stats dc(Username) by _time

Gives the tick marks as full dates including time and TZ offset.

stats dc(Username) by date_month

Gives months with lower case text including first letter, sorted alphabetically.

stats dc(Username) by date_month, date_year  | rename date_month as Month | eval sort_field=case(Month=="january",1, Month=="february",2, Month=="march",3, Month=="april",4, Month=="may",5, Month=="june",6, Month=="july",7, Month=="august",8, Month=="september",9, Month=="october",10, Month=="november",11, Month=="december",12) | sort date_year, sort_field | fields - sort_field, date_year

Almost gets there, but it still has months with lower case text including first letter, but at least in the right order.

So finally I add in an eval Month = upper(substr(Month,1,1)).substr(Month,2) to the end.

Does it really have to be so hard...? I'm sure I can't be the only person who's ever wanted to get a simple graph of something over 12 months...

I'm posting this as the answer as I have to use it, but I don't see this really is the right way to do it.

somesoni2 · ‎11-05-2013

This seems to be working for me. Please check and let me know if works for you as well. (using Sideview for advanced xml).

    <view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
  <label>Test X-axis ticks</label>

  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>

  <module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
            <module name="Search">
          <param name="search">
           sourcetype="logins"  | timechart dc(Username)
          </param>
          <module name="JobProgressIndicator" layoutPanel="panel_row1_col1"></module>
            <module name="HiddenChartFormatter"  layoutPanel="panel_row1_col1">
                <param name="charting.secondaryAxisTitle.text">Count</param>
                <param name="charting.chart">column</param>
                <param name="charting.chart.stackMode">stacked</param>
                <param name="charting.showMarkers">true</param>
                <param name="charting.chart.nullValueMode">zero</param>
                <param name="charting.legend.placement">bottom</param>
                <param name="primaryAxisTitle.text">Minutes</param>
                <param name="charting.scaleX">1</param>
                <param name="charting.axisLabelsX.majorUnit">P0Y1M0DT0H0M0S</param>
                <module name="FlashChart">
                        <param name="width">100%</param>
                        <param name="height">300px</param>
                </module>
            </module>           
        </module>         
  </module>
</view>

bowesmana · ‎11-30-2013

Think I managed to work out why simple XML won't do it. In the advanced XML it specifies

If I add

that then shows the individual months. Any idea how to make simple XML use FlashChart, not JSChart

bowesmana · ‎11-30-2013

Hi somesoni2. OK, this works for me with the advanced XML, but my dashboard XML is simple XML and that does not seem to work. I converted my dashboard to Advanced XML, but it no longer gives me the same UI and many of my panels do not work - some date problem.

Do you know how to make this X-axis thing work with the simple XML interface - I need to be able to export PDFs so need to stick with the simple XML.

somesoni2 · ‎11-05-2013

Open the view xml window from manager->user interface ->views and replace everything with the xml I sent.

paranjothi · ‎07-19-2017

Hi I have replaced the xml ,
and while searching I am not getting all x axis to be displaying.

can suggest if any other changes needed

bowesmana · ‎11-05-2013

Thanks for the suggestion. I've not used Sideview, but have now installed it. I don't know where I have to put that XML. I tried adding it inside my

ShaneNewman · ‎11-05-2013

 sourcetype="logins"  | bucket span=1mon _time | timechart dc(Username)

bowesmana · ‎11-05-2013

I did originally use chart dc(Username) by date_month, which does give separate months, but the months are sorted alphabetically, not chronologically. If I do by _time with bucket

sourcetype="logins" | bucket _time span=1mon | chart dc(Username) by _time

that is chronological, but the x-axis labels are 2012-11-0...000 +11:00 etc.

ShaneNewman · ‎11-05-2013

Instead of using timechart, try just chart dc(Username) by _time

bowesmana · ‎11-05-2013

Thanks Shane, I should have clarified that I get all the data in 1 month buckets OK, it's just the x-axis labels and tick marks that are alternate months.

bowesmana · ‎11-05-2013

Makes no difference, the vizualisation still displays just alternate month names in the x-axis.

timechart x-axis tick marks every month

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor