index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]*:){4}\s(?P<TIMESTAMP>(?P<Date>[^T]*)T(?P<Time>[^\-]*))-(?:[^,]*,){6}(?P<SERVICENAME>[^,]+),(?P<OPERATION>[^,]*),(?P<DURATION>[^(ms)]+)ms" | where DURATION >= 15000 | table DURATION,_time
I'm creating a bar chart from the above search. The problem I'm facing is
Time | Duration |
---|---|
10:10:00 | 50 |
10:12:00 | 150 |
10:15:00 | 500 |
11:10:00 | 250 |
11:30:00 | 510 |
I don't want five points in x-axis. I need only 2 points (10:00:00, 11:00:00). But i want all the points to be marked in chart. Is there a feature in Splunk to accomplish this?
You're probably looking for timechart
:
... | timechart avg(DURATION)
That will automatically bucket your data into equally sized spans and put the time onto the X-axis.
In order to have 500 randomly distributed events fit a chart equally and have each and every event appear with its own column you'll need a huge number of columns - way beyond what you can reasonably chart or display.
I don't want to calculate average. i need all points to be plotted in chart(line chart). In Below search if the search results is < 10 I'm able to see the labels. But if the result is > 10 the label stars disappearing. I don't want to show all the time in x-axis. Just 12 points. i.e 00:00, 2:00, 4:00 ..
index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]:){4}\s(?P
and you can define the spans for the (1hour) buckets by:
... | timechart span=1h avg(DURATION)