index=main sourcetype=myTest host="hello1234" getUserDetail | rex "(?im)^(?:[^:]*:){4}\s(?P<TIMESTAMP>(?P<Date>[^T]*)T(?P<Time>[^\-]*))-(?:[^,]*,){6}(?P<SERVICENAME>[^,]+),(?P<OPERATION>[^,]*),(?P<DURATION>[^(ms)]+)ms" | where DURATION >= 15000 | table DURATION,_time
I'm creating a bar chart from the above search. The problem I'm facing is
- I am getting duration in x-axis and time in Y-axis. I need it in vice versa.
- I have at least 500 results. Since the result count is more, timestamp value is disappearing. If the result count is around 25 then the timestamp values are visible. I don't want to show all timestamp values in x-axis. My requirement is i am creating report with one day's data. So I want x-axis to be split into 24 pieces (1 hr difference for each point). To make it clear
| Time | Duration |
|---|
| 10:10:00 | 50 |
| 10:12:00 | 150 |
| 10:15:00 | 500 |
| 11:10:00 | 250 |
| 11:30:00 | 510 |
I don't want five points in x-axis. I need only 2 points (10:00:00, 11:00:00). But i want all the points to be marked in chart. Is there a feature in Splunk to accomplish this?
