Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I add timescale for x-axis to chart

john_howley
Path Finder
‎05-07-2015 01:53 AM

I have the following query which produces a chart that only shows TIME as the x-axis label and doesn't show the times themselves on the axis - I would like to add that. according to the chart reference there is timescale option, but I have been unable to get that to work.
Note: the startdate and enddate fields are taken from input boxes.
|dbquery "MassPayPrimary" [stats count | head 1| eval startdate = 155051341 | eval enddate = 1550515 | eval sqlstr = "\"select a.msgsubtype, substr(a.time_stamp,12,8) as Time, a.msg_status, count (*) as NUMBER_PROCESSED from table a where a.IIFIS > '%startdate%' and a.IIFIS < '%enddate%' and a.msg_status = 'COMPLETE' AND a.msgsubtype IS NOT NULL group by msgsubtype, substr(atime_stamp,12,8), a.msg_status order by substr(a.time_stamp,12,8) asc\"" | eval sqlstr = replace(sqlstr, "%startdate%", startdate) | eval sqlstr = replace(sqlstr, "%enddate%", enddate) | return $sqlstr] | chart max(NUMBER_PROCESSED) by TIME, MSGSUBTYPE | fillnull

If I try to convert to timechart it complains that MSGSUBTYPE is not valid.

Tags (1)
0 Karma
Reply

john_howley
Path Finder
‎05-27-2015 03:55 AM

As additional info to the question I noted that the series data count went over the 1000 maximum. i tried re-configuring limit to see if that would help, but it didn't. I also tried to restirct the number of events being returned to below 1000 - again that made no difference. Also the field that TIME is being extracted from is just a text field not a date field so I wondered if that had any impact on it. I did try converting to a date but again that didn't help.

0 Karma
Reply

DaveAsh
Engager
‎05-13-2015 10:37 AM

Hi John,
I am certain someone else may have a better idea about this, but figured you still didn't have an answer in 6 days so I would take a shot at part of the question.
Normally I have had issues with timechart being case sensitive. The field in your query where you are grouping is by msgsubtype and then you try to timechart with MSGSUBTYPE might be causing the field is not valid. If I change the field case I always end up with a chart that just contains nulls.
So, like I said I am sure there are others out there that have different idea's that will help but perhaps this will start a dialog.
-Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...