Splunk Search

How to set the X-axis range in a time chart

Alex210984
New Member

Hi all,

I am a relatively new user of splunk, so do be patient with me if you think that my questions had been answered before.

Background:
I'm trying to count for events using a timechart but i currently facing a problem in setting a range for the x-axis in the timechart.
I have tried to look for solutions but I think that could not find anything that is similar to mine.

Question:
How do I set the x-axis for the timechart? I tried to run the following query and it does not limit the x-axis range.

index = ["something"] [search for IP address] | timechart span=1hr count by date.

The corresponding results will be

                                      17-02-2017  |   18-02-2017   | 19-02-2017 | 20-02-2017

2017-02-17 06:00

....
2017-02-17 23:00

2017-02-18 00:00

....
2017-02-18 23:00

Is there a command where I can set the X-axis range of timechart to explicitly display from 0600hrs to 2300 without the time chart column going to the next day?

Thank you for your time in looking into my situation

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this. This will remove all the results where are before 6AM and after 11PM. The x-axis will adjust accordingly.

index = ["something"] [search for IP address] | timechart span=1hr count by date | where strftime(_time,"%H")>=6 AND strftime(_time,"%H")<23
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this -

index = ["something"] [search for IP address] 
| eval myHour = strftime(_time,"%H:%M:%S")
| where myHour>="06:00:00" AND myHour <"23:00:00"
| timechart span=1hr count
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

What are you trying to achieve?

If you are trying to only count events that occur between certain hours, across a number of days, then you need to filter that before you feed it into the timechart command.

Also, span=1hr and count by date make no sense at all together.

0 Karma

cmerriman
Super Champion

if you are just looking for one day, add earliest=-1d@d latest=@d to the beginning of your search

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...