Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

x-axis data labels for _time are different between 4.2.2 and 4.3

dang
Path Finder
‎01-24-2012 02:57 PM

I'm reproducing a report/dashboard in 4.3 that I have working in an installation of 4.2.2. In this report I'm charting two values by _time (and the values occur approximately every 5 minutes).

When I run the report against the last 10 minutes, the 4.2.2 version shows the data labels in 10 minute intervals (such as 2:00 PM, 2:10 PM, 2:20 PM, etc), but the 4.3 version is attempting to show the label of each value of _time, and in a format which is much more verbose (including the offset from UTC) and gets cut off with ellipses. I'm building this report in simple xml. How can I modify the labels of the data points to be more like the 4.2.2 version?

Tags (2)
0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎01-24-2012 08:14 PM

Can you post the search you're using? The non-Flash charting module in 4.3 is a little different in the way it handles time-based data, and there are a few cases where you might have to refactor your search a little to make it behave correctly.

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎01-25-2012 05:57 PM

You're not going to be able to reformat _time without using timechart, you could try removing the span=5m and let the results bucket automatically.

Also, if you just want the old behavior and don't mind a Flash-based chart, you can always force the chart into Flash as described here: http://splunk-base.splunk.com/answers/38135/version-43-using-flash-charting-instead-of-jschart

0 Karma
Reply

dang
Path Finder
‎01-25-2012 09:56 AM

I can see that the 4.2.2. version did show the extended time information when you would mouse-over a datapoint, but the labels would be in an abbreviated format. That's easier to live with, because it seems the span of the timechart command is causing the chart to oddly not display the earliest datapoint (I'm going between -60m@m to now). Maybe what I need to know is really how to best reformat _time?

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎01-25-2012 09:51 AM

Yes that is expected behavior, my suggestion was going to be changing your search to use timechart.

With timechart, Splunk's back end attaches some time-related metadata to the search results, and in 4.3 the charting module needs that metadata to properly display the results.

0 Karma
Reply

dang
Path Finder
‎01-25-2012 09:43 AM

I've found that using timechart with a span (of 5m) doesn't have this same issue. Is this expected behavior?

0 Karma
Reply

dang
Path Finder
‎01-25-2012 08:52 AM

index="monitoring" | chart sum(XAttempt) as Attempt, sum(XSuccess) as Success by _time

I'm displaying the output as an area chart, if that has any relevance here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...