Splunk Search

How to add x-axis labels show on a timechart when data contains epoch time?

Michellework
New Member

Hi, I am still fairly new in Splunk as I just started last week. Any help is appreciated!!

This is what i currently have now in my search:

index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application" | eval TIME=strftime(timeStamp_Temperature, "%d-%m-%Y %H:%M:%S")  | search TIME!="31-12-9999 23:59:59" | timechart span=1h last(TIME) as TIME by temperature_value    | eval  threshold = 30 

alt text
The search produced this (Above) but this isn't what I want.

alt text
This is what I want but I require the graph to show the axis time labels (P.s this search is based from using Table but I read in the documentation that it requires timechart to work)

May I know what I did wrong here?

Thanks in advance!

0 Karma
1 Solution

woodcock
Esteemed Legend

You are massively overcomplicating the situation. Try this (just TRY it, without modifying it):

 index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application"
| timechart span=1h avg(temperature_value)

If this doesn't look right, then add this line BEFORE the timechart line:

| eval _time=timeStamp_Temperature

Also, you might prefer min or max to avg (which is what the error was trying to tell you: you have to have a stats function applied to your field name).

View solution in original post

0 Karma

woodcock
Esteemed Legend

You are massively overcomplicating the situation. Try this (just TRY it, without modifying it):

 index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application"
| timechart span=1h avg(temperature_value)

If this doesn't look right, then add this line BEFORE the timechart line:

| eval _time=timeStamp_Temperature

Also, you might prefer min or max to avg (which is what the error was trying to tell you: you have to have a stats function applied to your field name).

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

1) Okay, you didn't tell us what you want the graph to tell you, and your code is confusing, so we're a bit in the dark.

2) When using timechart, the x axis is always based on the value of the field _time. Whatever aggregate function you use determines the Y value, and the BY field breaks the graph up into multiple series.

3) Do you really want just the last time that each particular temperature_value occurred? That could be as simple as this...

Your search
| dedup temperature_value
| eval _time=timeStamp_Temperature
| timechart span=1h count by temperature_value

4) On the other hand, if you want to know how many times a particular temperature was hit in each hour, that would be even simpler, like this...

Your search
| eval _time=timeStamp_Temperature
| timechart span=1h count by temperature_value

5) and if you wanted the temperatures grouped into buckets or bins, for example 5 degree ranges, then you could do this:

Your search
| eval _time=timeStamp_Temperature
| bin temperature_value span=5
| timechart span=1h count by temperature_value

If none of those are what you are looking for, then please describe what you want the graph to show, and we'll get you sorted out.

0 Karma

Michellework
New Member

Hi DalJeanis,

First of all, thank you for replying to my question!

After looking at points 1 and 2, I realized what I actually needed. I require the graph to just show the temperatures (y axis) vs time (x axis). my index contains a series of temperatures recorded at every 3sec time interval (this is what I want to show)

index=_* OR index=* source="live logs.zip:.\\tenant_1.tgz:.\\tenant_1/application_24978294676695149906/application.log" sourcetype="tenant_1/application_00247908011074894418/application" | eval TIME=strftime(timeStamp_Temperature, "%d-%m-%Y %H:%M:%S")  |

TIME will convert my epoch time to time in "%d-%m-%Y %H:%M:%S" which is the label i need (with reference to ss-wrong.png - first picture's x axis)

Hence, I am not sure how to write the timechart query such that i can get temp vs time graph.
I tried timechart span=1h temperature_value by _time but it throws an error that I need to add an aggregate function before temperature_value field. Is there any way to not alter the temperature values from the indexed dataset but at the same time use timechart to show time labels on the x-axis?

Thank you!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...