How to force all x-axis labels to display on a tim...

jeffland · ‎03-06-2015

Hello.

I am trying to create a dashboard with a simple timechart showing the number of log entries per day. I am interested in the last seven days.

The problem is that the x-Axis labels only appear every other day, as do the major ticks. When I rotate the label, they appear for each day; this also happens when I reduce the number of days. I suspect this behavior is because there is (allegedly) not enough space for the label to display in horizontal mode for seven days.

From what I understand, I am not the first to come across this problem, for example:
http://answers.splunk.com/answers/62567/avoid-chart-skipping-every-other-day-label-on-x-axis.html
http://answers.splunk.com/answers/113616/x-axis-marks.html

I have tried the solution to the second problem (creating buckets for results per day and using the buckets to display in the chart), but then my results are no longer in chronological order (and somehow can't be sorted), but even if that worked this is not a pretty solution. What I am looking for is a way to force the display of a label for each day, even if they overlap (which wouln't even happen in my case).

Things I have tried are setting the visibility of major ticks and labels:

<option name="charting.axisLabelsX.majorLabelVisibility">show</option>
<option name="charting.axisLabelsX.majorTickVisibility">show</option>

I also tried to set the major unit with

<option name="charting.axisLabelsX.majorUnit"> P1M1D</option>

but that has no effect whatsoever. The value P1M1D is a guess based on an answer to a similar question, because the Documentation at http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/ChartConfigurationReference does not really help with it to be honest.

So is there something I am missing, or is this simply not possible? I would be very thankful for any ideas or hints.

Cheers

rsennett_splunk · ‎05-05-2015

It's a bit difficult to tell exactly what's going to work for you, because while you've described your endgame, you haven't really described what the counts are. Basically, timechart is a composite command. Because of that, it's got lots of settings you can apply but it also is intended to maintain a certain kind of visualization and thereby has some failsafes built in. So rather than working around it, you can either open the flood gates:

this produces the 'missing labels' you describe:

index=_internal  earliest=-7d@d latest=now| timechart span=1d count

The examples below, do not... they produce 7 series, with seven labels on the x-axis

index=_internal  earliest=-7d@d latest=now| timechart span=1d count limit=0

or you can take control yourself:

index=_internal earliest=-7d@d latest=now sourcetype=splunkd_access|bucket _time span=1d|chart count by _time| eval _time = strftime(_time, "%c")

The reason you're not seeing all the "ticks" is because timechart has a certain number of bins it produces (slices of time within the span) and it's all based on what fits. you can specify the number of bins and what's going to actually fit visually... here I've manage to solve it without messing with the bins (which would be in the second pipe above or just part of the timechart if you've gone in that direction).

If these searches don't offer insight... then perhaps you can give us some info on the counts per series so we can replicate it.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Aftab_alam · ‎09-30-2016

is there a way to all series value but show only few labels. e.g. if I have 10000 data point in a timeseries, x-label will be too crowded but if we can show 100 evenly distributed time. then we can zoom in later.

martin_mueller · ‎05-06-2015

My timechart with the post-processing will give you all the labels using a custom time format including zero-value buckets, so there's no real need to muck about with bucket|chart here. If you really wanted to, makecontinuous should give you at least the zero-value buckets in the middle... getting them at the start or end of the time range would be a lot more work that timechart already does for you.

The missing labels in your screenshot are caused by the graph display running on "timechart-autopilot", making sure the x-axis is not crowded up by labels. Reduce your time range to seven days rather than eight and you will see every bar labelled.

jeffland · ‎05-06-2015

Oh. You just made me realize that there are eight buckets... "Last seven days" apparently includes the day seven days ago, contrary to my intuition. Sorry for that...

Still, I would like to be able to influence how the axis labels are displayed, i.e. force the labels to show even if that makes the axis crowded (which, to be honest, I absolutely don't see happening in the above screenshot if every other label were to appear). "timechart-autopilot" is generally a good idea, but it's only half as useful if I haven't got any control over its output.

rsennett_splunk · ‎05-06-2015

Agreed...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

jeffland · ‎05-06-2015

The timechart for the first and second search look exactly alike for me, they are missing each other label. They both have seven bins with data. See here:

The third variant (using a regular chart and creating the buckets manually) works ok for me axis-label wise, but they don't show empty bins - so for example my weekends where no data is collected are simply left out. I figure I can influence this behavior with XML as soon as the chart is on a dashboard, or I could fiddle around some more and make sure that empty days are filled with a zero. At any rate, it surprises me that the chart does what I want (so technically it's possible) while timechart doesn't.

martin_mueller · ‎05-04-2015

As you can see here: http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/CustomChartingConfig-AxisGrid#Time_axi... setting charting.axisLabelsX.majorUnit for time-based axis labels is not compatible with JS Charts, only with Flash Charts... which are deprecated for SimpleXML.

You can somewhat cheat Splunk into giving you all labels, but then you lose a lot of features of the default timechart rendering:

index=_internal | timechart span=1m count | fields - _span | fieldformat _time = strftime(_time, "%H:%M")

Features lost include time-specific automatics drilldowns, automatic adaption of labels to bucket span, automatic adaption of labels to chart width, listing the full date once for reference, and maybe more.

jeffland · ‎05-05-2015

That's a shame. Is there a reason for that? I would expect this annoys quite a few people, as one week seems a common timeframe, and I've noticed it on every timechart that has as least one neighboring element in the same row at a standard resolution.

markthompson · ‎03-06-2015

Have you tried using the GUI options to display the axis labels?

jeffland · ‎03-06-2015

If you're referring to the options the web editor offers, those for the x-Axis don't allow anything other than setting a title, truncating and rotating the label (the latter of which works, but which I would prefer to avoid). If you were referring to any other settings, could you please be more precise where to find them? I am still very new to this environment. Thanks!

How to force all x-axis labels to display on a timechart?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk