Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mapping Dates Proportionally in Splunk Visualizations/Charts

ashish9433
Communicator
‎07-25-2016 04:58 AM

Hi Team,

Can any one please provide me any help or clue how to map Dates/time proportionally on X-axis of Splunk Chart?

In the below image, the Date on x-axis is placed at equidistant from others dates, irrespective of the differrence in number of days between the dates.

The First value on x-axis is 27 Jan 2016, 2nd value 10 Feb 2016 (difference in number of days - 14)
The 2nd value on x-axis is 10 Feb 2016 and 3rd value is 02 March 2016 (difference in number of days - 21)

And similarly, there are variations in number of days in the x-axis, but irrespective of difference in number of days between them, they all are placed in equidistant.

Do we have any functionality in Splunk, wherein this situation can be handled and the dates on x-axis are place proportional to the gap between them.

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-25-2016 06:30 AM

I assume you are using a timechart without span. Try adding a span option to your timechart. Something like this

.... | timechart span=1h cont=t count

This will give you count in 1 hour increments (you can adjust the increments). The cont=t specifies whether the chart is continuous or not.

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-25-2016 07:42 AM

Try this:

index=testindex Name=testName | eval fileDate=mvindex(split(mvindex(split(mvindex(split(source,"\\"),-1),"."),0),"_"),1) | eval dateSplit=split(fileDate,"-") | eval _time=mvindex(dateSplit,0).mvindex(dateSplit,1).mvindex(dateSplit,2) | timechart span=7d avg(abc)

Adjust your span value as you see fit.

Reply
Solved! Jump to solution

ashish9433
Communicator
‎07-25-2016 08:46 AM

Thanks woodcock!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-25-2016 09:46 AM

So did this work?

0 Karma
Reply
Solved! Jump to solution

ashish9433
Communicator
‎07-26-2016 01:57 AM

Yes kind off! i was looking for alternatives
But for time being, this can be good to go!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-25-2016 07:17 AM

It should already be doing this. We need to see your search string (which is ALWAYS the best idea when posting a question).

0 Karma
Reply
Solved! Jump to solution

ashish9433
Communicator
‎07-25-2016 07:22 AM

Here goes my search query

index=testindex Name=testName | eval fileDate=mvindex(split(mvindex(split(mvindex(split(source,"\"),-1),"."),0),"_"),1) | eval dateSplit=split(fileDate,"-") | eval displayDate=mvindex(dateSplit,0).mvindex(dateSplit,1).mvindex(dateSplit,2) | stats values(abc) by displayDate

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-25-2016 06:30 AM

I assume you are using a timechart without span. Try adding a span option to your timechart. Something like this

.... | timechart span=1h cont=t count

This will give you count in 1 hour increments (you can adjust the increments). The cont=t specifies whether the chart is continuous or not.

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart

Reply
Solved! Jump to solution

ashish9433
Communicator
‎07-25-2016 07:47 AM

Hi Sundareshr,

Thanks for your revert!

I am aware of timechart command, but the span option can be pretty usefull when i have atleast a fair idea of difference between the dates.

I can have only 2 days difference to 30-40 days difference in dates in my data, so span doesn't seems to be feasible here, though it can be considered as one way to fix this.

What i wanted was that the location of dates on x-axis is distributed proportionally on the basis of difference between the number of days, instead of equally spaced.

Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-25-2016 07:51 AM

Proportionality is dependent on having a common unit of measure, right in you example it could be seconds, mins, hours, days or weeks. That is what the span command does. Set the common unit. Sounds like the min difference would be in days. I would suggest you could start with 1d. If that is not granular enough, you can change it to 1h or 1m

0 Karma
Reply
Solved! Jump to solution

ashish9433
Communicator
‎07-25-2016 08:46 AM

Thanks Sundareshr!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-25-2016 11:24 AM

@ashish9433 If this worked, please mark the question as answered to close it out and for others' benefit

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...