Splunk Search

How to graph time values %H:%M on the y-axis against the date in Splunk?

chrishenry
New Member

Hi Guys,
I've looked around the forums and found a few questions similar to mine, all of which have no answers.
I basically have a series of data that I want to plot which is contained in the generic _time format.

I've extracted the values in the form of "%H:%M" using strftime(_time, "%H:%M").

My question is,

Is it possible to graph these time of day values against date using Splunk?

Here is an example set of data:
Date | Value1 | Value2 |Value3 |Value4
01/01/2014 00:10 00:15 00:45 03:33
02/01/2014 00:16 00:24 01:15 04:01
03/01/2014 00:47 01:16 02:01 05:15
.
.
.

I've gotten this by using a chart command similar to below:
my_search | chart values(time) by date, ValueField

So far, I've been able to convert the time values to decimal and display them that way using:
mysearch
| eval date = strftime(_time, "%F")
| eval time = date_hour + (date_minute / 60) + (date_second / 3600)

but this isn't ideal.

Does anyone know how to graph "%H:%M" values on the Y axis?

Cheers

0 Karma

tachifelix
Path Finder

Use this in your search
....|eval c_time=strftime(_time, "%H:%M")|chart values(c_time) by _time

0 Karma

chrishenry
New Member

Posting in reply to: tachifelix as forum won't allow me to reply

Nope, that doesn't work because of the ':' character.

0 Karma

juvetm
Communicator

,index=* |stats count by _time| fieldformat _time= strftime(_time, "%H:%M")|head 5
this is the right query for time on the y axis
to graph this time on the y axis after placing you query you just need to go on visualiation and choose bar chart visualiation that place it on the y axis that is all about that then you change the time to date on the y axis

0 Karma

chrishenry
New Member

That will graph the count of each occurrence of time in the data set based on the date.

What I was trying to achieve was to graph the values of each event in the dataset above. In the end, I realised that when I was using strftime, I used "%H:%M" the colon was causing issues with the graph interpreting the values. Removing the colon from my strftime string allowed a bit of a better result. My final query was:

index=*
| eval time = strftime(_time, "%H%M")
| eval date = strftime(_time, "%F")
| chart values(time) by date, ValueField

This basically charts the values in decimal format I.e. 1:10 as opposed to 23:59. I was looking at creating an app for this when I get time. I'll post a link to the app when/if I finish it.

On a side note, the nice thing about the chart function (as opposed to timechart) is that it allows you to specify the row and column header fields through the "by" function. In the chart example above, date represents each row whereas ValueField represents each column.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...