Hi,
I used the following for my search to display some readings over time. I also did a strftime() to get the timestamp out of the log for my x axis, but when I display as line chart, my time axis only show TIME instead of all the timestamps. How should I make it appear on my axis? Is it possible to set to show only start, mid and end of the x-axis?
sourcetype="Light" index=_* OR index=* sourcetype="Light" |rex field=_raw "\"endpointKeyHash\":\{\"string\":\"(?<endpoint>[^\"]*)\".*\"Event\": (?<mydata>\{.*\})\}$"| spath input=mydata | sort _time | eval TIME=strftime(_time, "%d-%m-%Y %H:%M:%S") | eval light_status = If(IsOn == "true","1","0") |table TIME, light_status
Hi jkat54,
is there a limit to timechart? My data is being collected in per seconds interval and my data is only 5 mins long for now. If I switch to 30 seconds window, splunk will show an error "No results found. Try expanding the time range." Over longer period of time, I can see the timechart working fine.
Try this:
sourcetype="Light" index=_* OR index=* sourcetype="Light" |rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})}$"| spath input=mydata | eval light_status = If(IsOn == "true","1","0") |timechart values(light_status)
Is sourcetype="Light" index=_* OR index=* sourcetype="Light"
supposed to be
(sourcetype="Light" index=_*) OR (index=* sourcetype="Light")
?
Because as is, it will only apply the OR to the index values.
[No answer to your origin question, but hopefully helpful]
Your search term includes two times 'sourcetype="Light"'. As OR has priority over (implicit) AND the search does probably not what you intended. Also I assume that "Light" or "IoT Light" is not in the internal indexes (starting with "_...") so you could leave them out. Further speed up could be achieved by only naming the index(es), that actually contain(s) the named sourcetype.
@wuming79, how frequently are you polling light_status (real-time or with slight delay lets say 1min or 5 min)?
You seem to have too many data points on x-axis and since you are not using timechart command you are not getting x-axis time range adjusted.
You can try following couple of thing :
1) From the Format option in the Line Chart Visualization (as shown in your screenshot), for X- Axis select Label Rotation as -90 degrees
2) Choose a smaller Time Range (like last 5 min or last 15 min), so that you have less data points on x-axis (Try with 50 or less row in Statistics values)
Eventually you might have to consider streamstats and/or timechart command to plot your data.
But how do I display my light_status as a statistic? My current Time Range actually sets to display over 5 days but I'm polling like every seconds.