Splunk Search

How do I create a line chart using epoch values, but convert the y and x-axis labels to a human readable format?

Dohrendorf_Cons
Path Finder

Hi all,

I need to chart a series of time(epoch) values over time. So basically, I want to show Dates on both the X and Y Axis of a linechart. After converting the Y-values to epoch, I get a nice line. However epoch values are not very user-friendly, so I would like to convert the axis labels back into a readable format. I created a screenshot to illustrate the problem:
alt text

I tried using "fieldformat" and "convert timeformat...", neither works. If inserted before the chart command, the line can not be drawn anymore, if inserted after, the labels do not change. Using a timechart helps with the X-Axis, but doesn't change anything about the Y-Axis.

rafaelvjb
Explorer

oh, and the x axis, just add some eval to replace after charting...

| chart max(time) as max_time by datex 
| eval datex = strftime(datex, "%d/%m")
0 Karma

rafaelvjb
Explorer

Hi, I've done some tricks to do this ...

in the query I converted hh: mm: ss to a number (because string does not write points in the graph):

...
    | chart max(epoch_time) as max_time by date
    | eval max_time = tonumber(strftime(max_time, "%H%M%S"))

into html dashboard, after render() my chartElement (or chartView)

 element4.on("rendered", function () {
            $($("#element4 tspan")).each(function () {
                console.log("element4 : " + $(this).text());
                var rex = new RegExp("[0-9]{0,3},[0-9]{3}");
                if (rex.test($(this).text())) {
                    var hhnum = $(this).text().replace(",", "");
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                } else if ($(this).text() < 1000) {
                    var hhzeros = String("000000" + horanumeral).slice(-6);
                    var hhfinal = (horacomzeros).substr(0, 2) + ":" + (horacomzeros).substr(2, 2)
                    $(this).text(hhfinal);
                };
            });
        });

This code needs some refactoring, but this was my first successful case

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @Dohrendorf_Consist,
Have you tried using the "strftime" command in your query to convert the way the time stamp is rendered? Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/CommonEvalFunctions#Date_and_Time_...

See also this older Answers post, which seems related to your question:
https://answers.splunk.com/answers/11649/specify-timestamp-display-format-for-timechart-axis-labels....
Hope this helps! Let me know if not and we can keep discussing.

All best,
@frobinson_splunk

0 Karma

Dohrendorf_Cons
Path Finder

I already had tried that, but it only works on the X-Axis. Using strftime on the Y-Axis results in the line no longer being drawn, apparently because the values are strings after formatting them, which makes sense.

Any other suggestions?

0 Karma

rafaelvjb
Explorer

Dohrendorf,
Did you make it ?
I'm trying here and I'm having the same problem

tks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...